All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @karthi2809 , you can use this regex: | rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)" you can test this regex at https://regex101.com/r/0VJvAw/1 ... See more...
Hi @karthi2809 , you can use this regex: | rex field=source "^\/\w+\/\w+\/(?<environment>\w+)\/\w+-(?<component>[^-]+)-(?<filename>.*)" you can test this regex at https://regex101.com/r/0VJvAw/1 Ciao. Giuseppe
Adding sourcetype additionally in props.conf fulfilled my requirement. Thanks
How to extract fields from below source. /audit/logs/QTEST/qtestw-core_server4-core_server4.log I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as ... See more...
How to extract fields from below source. /audit/logs/QTEST/qtestw-core_server4-core_server4.log I need extract QTEST as environment qtestw as hostname core_server4 as component core_server4.log as filename
Great thanks, it works with classic IR view
Alright, if the "TEST" keyword is in the search title, you can filter it as shown below. search_name!=*TEST* ------ If you find this solution helpful, please consider accepting it and awarding... See more...
Alright, if the "TEST" keyword is in the search title, you can filter it as shown below. search_name!=*TEST* ------ If you find this solution helpful, please consider accepting it and awarding karma points !!
Hi @jawahir007  we don't want to suppress them just hide them based on saved filter.
You can achieve this by creating Custom Notable Event Suppressions. Please refer to the link below for more details. https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Customizenotables#Create_and... See more...
You can achieve this by creating Custom Notable Event Suppressions. Please refer to the link below for more details. https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Customizenotables#Create_and_manage_notable_event_suppressions ------ If you find this solution helpful, please consider accepting it and awarding karma points !!
Hello, we would like to filter ES incident review and hide notables with TEST keyword by example, how to do? Thanks for your help
In this case it is asking for an „Episode State“. Do you try to set episode state by an info in the event?
Take a look into the index itsi_grouped_alerts and try to find your alert which should fire the alert action. Check if you can find the field you are referring to in this event and if there is content.
Hello @fernan2ruiz Since its not supported driver you have to get Driver from vendor from this link : https://documentation.softwareag.com/adabas/cxx146/install/CONNXInstall/Connecting_to_CONNX_JDBC_... See more...
Hello @fernan2ruiz Since its not supported driver you have to get Driver from vendor from this link : https://documentation.softwareag.com/adabas/cxx146/install/CONNXInstall/Connecting_to_CONNX_JDBC_Server.htm  and create server class something like below: [ADABAS] displayName = adabas serviceClass = com.splunk.dbx2.DefaultDBX2JDBC jdbcDriverClass = com.Connx.jdbc.TCJdbc.TCJdbcDriver jdbcUrlFormat = jdbc:adabas://:/   Splunk doc for not supported driver server class creation : https://docs.splunk.com/Documentation/DBX/3.18.1/DeployDBX/Installdatabasedrivers#:~:text=on%20Windows%20hosts).-,Add%20the%20custom%20database%20to%20db_connection_types.conf,For%20more%20information%2C%20see%20Configuration%20file%20reference.,-Database%20connection%20validation 
As far as I know the only way is to build this by yourself. An idea would be to establish this with a correlation search which detects the change, will create a notable event which will be added to t... See more...
As far as I know the only way is to build this by yourself. An idea would be to establish this with a correlation search which detects the change, will create a notable event which will be added to the episode because the neap will fetch it and trigger the event you want to have. As a common way to do this, this event should have a specific field like send_email=yes and email_content=>YOURCINTENT< so you can use this field as trigger and preconfigured the content of your email.
Hi,   maybe you are searching for this: https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/EmailNotificationTokens   please take also a look into index=_internal if there is a hint why your... See more...
Hi,   maybe you are searching for this: https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/EmailNotificationTokens   please take also a look into index=_internal if there is a hint why your emails aren’t send. Have you tried if a normal spl query with the command „sendemail“ works? Email server settings are correct? 
Hello @bulbulator For sure you have to check internal logs, there can be multiple reason behind this issue.
Hi @Devinz , as all the tokens in Splunk, the field to pass as token to the Correlation Search Title must be in the results of the Correlation Search itself, so, in your first example you would use ... See more...
Hi @Devinz , as all the tokens in Splunk, the field to pass as token to the Correlation Search Title must be in the results of the Correlation Search itself, so, in your first example you would use the $description$ field bu you don't have this field after the stats count BY rule_title command. You have to add to your CS the fields to display in the title. Ciao. Giuseppe
Hi @sajjadali1122 , you did a very large question, briefly, at first restrict as max as possible the time range of your search, avoid commands as join or transaction and be sure to have a performan... See more...
Hi @sajjadali1122 , you did a very large question, briefly, at first restrict as max as possible the time range of your search, avoid commands as join or transaction and be sure to have a performant storage (at least 800 IOPS bettere much more!). Then, if you have a large set of data you can use some acceleration methods that you can find described at  https://docs.splunk.com/Documentation/SplunkCloud/8.1.12/Knowledge/Aboutdatamodels https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Knowledge/Usesummaryindexing https://docs.splunk.com/Documentation/SplunkCloud/8.1.12/Report/Acceleratereports https://www.youtube.com/watch?v=c13phau6zxg https://docs.splunk.com/Documentation/Splunk/9.3.1/Knowledge/Acceleratetables and so on searching "accelerate" on Google. In few words, you can use a summary index in which you store the results of a scheduled search, so you can search on a reducted record or already grouped data. Or, if you have to search on structured data, you could use accelerated Data Models. Ciao. Giuseppe
Hi @Kenny_splunk , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karm... See more...
Hi @Kenny_splunk , good for you, see next time! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi. I do not understand well the SHC config, [raft_statemachine] disabled = <boolean> * Set to true to disable the raft statemachine. * This feature requires search head clustering to be enabled. ... See more...
Hi. I do not understand well the SHC config, [raft_statemachine] disabled = <boolean> * Set to true to disable the raft statemachine. * This feature requires search head clustering to be enabled. * Any consensus replication among search heads uses this feature. * Default: true replicate_search_peers = <boolean> * Add/remove search-server request is applied on all members of a search head cluster, when this value to set to true. * Requires a healthy search head cluster with a captain.  What changes in a SHC by setting "disabled = true or false"? By default is true. "replicate_search_peers = true" works only if disabled is false.   What does setting this to true or false do to the cluster?
edit the server.conf on the manager node or on the search heads?
Found the problem, and fixed. INFO KeyManagerSearchPeers [601811 TcpChannelThread] - Sending SHC_NODE_HOSTNAME public key to search peer: https://OLDIDX:8089 ERROR SHCMasterPeerHandler [601811 ... See more...
Found the problem, and fixed. INFO KeyManagerSearchPeers [601811 TcpChannelThread] - Sending SHC_NODE_HOSTNAME public key to search peer: https://OLDIDX:8089 ERROR SHCMasterPeerHandler [601811 TcpChannelThread] - Could not send public key to peer=https://OLDIDX:8089 for server=SHC_NODE_HOSTNAME (reason='') Inside the SHC nodes, there was a node to which, probably, time ago, i copied the "distsearch.conf" manually, without deleting all previous peers in UI or restarting  with a clean empty "distsearch.conf". So previous peers remained "as artifacts" (inside a system kv table?), and splunkd read them as active also if not present nor visible in "distsearch.conf" or in UI DistSearch Panel. Simple solution, from a SHC node UI, Delete all peers, one by one (the delete sync with other nodes) Insert again all peers, one by one (the insert sync with other nodes)   After a clean restart, WARNINGS messages with old IDXS/PEERS went away. So, it was a real artifact, i presume inside a system kv table, since on fs no .conf contains them !!! 🤷‍