All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That's true. In fact if the "header" part is constant except for the changing timestamp of course I'd simply SEDCMD it away. Then you'd have a pure json payload, a proper timestamp and no unnecessary... See more...
That's true. In fact if the "header" part is constant except for the changing timestamp of course I'd simply SEDCMD it away. Then you'd have a pure json payload, a proper timestamp and no unnecessary "header" bloat in your index.
Hi I have a unique request where I want to display the Event Actions -- > Show Source link to be displayed on the dashboard instead of drilling down by opening the query -- > event and then ---> show... See more...
Hi I have a unique request where I want to display the Event Actions -- > Show Source link to be displayed on the dashboard instead of drilling down by opening the query -- > event and then ---> show source.
@PickleRick , you are right about the line breaker, I used a capturing group to keep only JSON messages. 
Hi Splunkers,, We have issue about our Telegram Alert. We set alert send every 5 minutes, but the happened is alert send only one or two time per day. We fill and telnet proxy server confirm connect... See more...
Hi Splunkers,, We have issue about our Telegram Alert. We set alert send every 5 minutes, but the happened is alert send only one or two time per day. We fill and telnet proxy server confirm connected. telnet xxx.xxx.co.id 8080 Trying xx.xx.xx.xx... Connected to xxx.xxx.co.id.   We also check on splunkd.log there's SSL error. Below the error log: 11-04-2024 10:30:07.063 +0700 ERROR sendmodalert [2216772 AlertNotifierWorker-0] - action=telegram STDERR - WARNING:urllib3.connectionpool:Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:1106)'))': /bot7980126779:AAGIDUqqXlAEdfeLE7_OcOiqtJCIOzVljXc/sendMessage?chat_id=-4525666353&text=%3Cb%3ESPLUNK+ALERT+MESSAGE%0A------------------------------%3C%2Fb%3E%0A%3Cb%3EAlert+Name%3C%2Fb%3E%3A+test_telegram+%0A%3Cb%3ESEVERITY%3C%2Fb%3E%3A+High+%0A%3Cb%3EMESSAGE%3C%2Fb%3E%3A+R2.BRN.PE-MOBILE.2%3B56+%0A%3Cb%3EResults+Link%3C%2Fb%3E%3A+https%3A%2F%2Fdcosplunksearchhead%3A8000%2Fapp%2Falert_telegram%2Fsearch%3Fq%3D%257Cloadjob%2520scheduler__usercomm_YWxlcnRfdGVsZWdyYW0__RMD5486a20947b8a80a2_at_1730691000_1982%2520%257C%2520head%25201%2520%257C%2520tail%25201%26earliest%3D0%26latest%3Dnow&parse_mode=HTML 11-04-2024 10:30:07.363 +0700 INFO sendmodalert [2216772 AlertNotifierWorker-0] - action=telegram - Alert action script completed in duration=6326 ms with exit code=5 11-04-2024 10:30:07.363 +0700 WARN sendmodalert [2216772 AlertNotifierWorker-0] - action=telegram - Alert action script returned error code=5 11-04-2024 10:30:07.363 +0700 ERROR sendmodalert [2216772 AlertNotifierWorker-0] - Error in 'sendalert' command: Alert script returned error code 5. Please help us to solve this issue. Thanks.. 
@catta99  Please check below code function test() { console.log("in test"); } require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($, mvc) { consol... See more...
@catta99  Please check below code function test() { console.log("in test"); } require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($, mvc) { console.log("hello 2"); function test1() { console.log("in test1"); } $(document).ready(function () { $("#back").click(function(){ alert("button"); var param = $(this).data("param"); console.log(param); console.log("click"); history.back(); }); $("#backtest").click(function(){ test(); alert("Back"); }); $("#back1test").click(function(){ test1(); alert("Back1"); }); }) });   Splunk Web Framework works little different from regular or Native Jquery/Javascript behaviour specially on HTML element. So when you write <button onclick="test()">Back</button> <button onclick="test1()">Back1</button> It may not work bcoz when you run the dashboard, the Dashboard XML is rendering into complied version of JS, CSS and HTML. After all this process it will allow developer to add custom JS, CSS and even custom components through custom JS like button_test.js. So all customisation and the element event handleling will be define in this JS only. Suggestion: Using below code is not best practive. Just code what you want instead of this.history.back(); I hope this will help you. Let me know if you need further help on this. Thanks KV An upvote would be appreciated if any of my replies help you solve the problem or gain knowledge.  
but the restart process already done and it still show same value
This is correct, however, Splunk will log a message every time it copies a timestamp from a previous event.  These messages will affect the metrics on the Data Quality dashboard in the Monitoring Con... See more...
This is correct, however, Splunk will log a message every time it copies a timestamp from a previous event.  These messages will affect the metrics on the Data Quality dashboard in the Monitoring Console/Cloud Monitoring Console.
Yoj can try this as your line breaker ([\r\n](?=\d{4}-\d{2}-\d{2}T)|(?<=ContentGenerator) ) See https://regex101.com/r/gw5YHj/1
Ok, right you are. The docs are not very good around this - indeed if a timestamp cannot be parsed it will be assumed to be from the previous event, but in your case that would mean you'd have to mak... See more...
Ok, right you are. The docs are not very good around this - indeed if a timestamp cannot be parsed it will be assumed to be from the previous event, but in your case that would mean you'd have to make sure whole blob gets forwarded to a single downstream (idx or HF).
@PickleRick if there is no timestamp within a log entry then other event which has timestamp will be added to it. 
What do you mean by "timestamp will be taken"? Timestamp is either parsed out of the event or assumes to be the time of ingestion (or can be explicitly provided for HEC input).
@PickleRick . Timestamp will be taken from other event that wont be an issue. That what the requirement and need help on writing regex to match the pattern.
Hello @shai have you also tried using cron job? Yes we need to define modinput on the inputs.conf.spec to get that populated on UI. Can you also try with local/inputs.conf?  What version of splunk a... See more...
Hello @shai have you also tried using cron job? Yes we need to define modinput on the inputs.conf.spec to get that populated on UI. Can you also try with local/inputs.conf?  What version of splunk are  you running? I don't recall this must be an old known issue for windows. I recommend reaching out to support if your are stuck. If this Helps, Please Upvote.
Each Windows computer gathers security events pertaining to this particular computer. So domain controllers log in all activity that occurs on them - domain log ins, domain log outs and so on. Workst... See more...
Each Windows computer gathers security events pertaining to this particular computer. So domain controllers log in all activity that occurs on them - domain log ins, domain log outs and so on. Workstations log into their own Security Eventlog events which occur on them - like local log ins and log outs. So there is no way to get local events from those workstations by looking in the domain controllers' event logs. These are two separate things. You need to ingest Security eventlogs from those workstations. You can get them either by installing UF on each of them and ingest local eventlog from each of those workstations or by setting up a WEF collector and setting up a forwarding policy so that you gather logs centrally. And from this central collector you'd pull them with a UF. There are also additional ways but these are the only two reasonable ones.
Your line breaker will consume the matched data. You'd need to do a non-capturing group. But it's tricky since a line breaker here would need to match two different strings preceeded or followed by t... See more...
Your line breaker will consume the matched data. You'd need to do a non-capturing group. But it's tricky since a line breaker here would need to match two different strings preceeded or followed by two different things. It might be doable, but it's gonna be difficult and ugly. But there is another issue here of whic h@arunsoni should be aware of. If you even manage to break your events this way - one of your events will contain a timestamp, the other will not. One will be a valid (I assume) json, the other will be not. Your data will be inconsistent.
How about something like this to start with? index=_internal sourcetype=splunkd log_level=WARN host=sh* component=DispatchManager "QUEUED" | stats count by host  
Hi @arunsoni , You can try below props; [your_sourcetype] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z\s\[\w+\]\s\w+\s)\{ TRUNCATE=20000 ... See more...
Hi @arunsoni , You can try below props; [your_sourcetype] DATETIME_CONFIG=CURRENT SHOULD_LINEMERGE=false LINE_BREAKER=(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z\s\[\w+\]\s\w+\s)\{ TRUNCATE=20000  
hello Dear i installed appdynamics platform recently and i want to instrument dotnet core application in docker, in all the other agent such as machine-agent i used secure credentials but for dotnet... See more...
hello Dear i installed appdynamics platform recently and i want to instrument dotnet core application in docker, in all the other agent such as machine-agent i used secure credentials but for dotnet core in containers i couldn't find any refrence for environment which i can set for in docker image, is ther any way i use secure credentials like java agent?
Hi @gcusello    What stanza should I insert in inputs .conf to monitor all the client accesses to the DC? and what do you mean by local events?
Hi @hazem , having the UF on the Domain Controller you can monitor all the accesses to the DC from the clients but not the local events from each server. To have local events, you have to install U... See more...
Hi @hazem , having the UF on the Domain Controller you can monitor all the accesses to the DC from the clients but not the local events from each server. To have local events, you have to install UF on each client. Ciao. Giuseppe