All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Have you considered using a summary index to hold the extracted field(s)?
All, I'm ingesting data from Azure that contains (as part of it) a syslog message, I have the vendor specific application for this syslog message format. Simplified structure below. { Collector... See more...
All, I'm ingesting data from Azure that contains (as part of it) a syslog message, I have the vendor specific application for this syslog message format. Simplified structure below. { CollectorHostName: xxxxx Computer: xxxxx EventTime: 2025-06-27T07:19:45Z Facility: local7 HostIP: xx.xx.xx.xx SyslogMessage: logver=704072731 timestamp=1750983585 devname="xxx" devid="xxx" vd="root" date=2025-06-27 time=00:19:45 eventtime=1751008785866135964 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" ........." }  What I would ideally like to be able to do, is extract (via a search) the "SyslogMessage" field and then re-index this into a new index (and appropriate sourcetype) so that the syslog message can be processed in "the normal way" by the vender specific application.  Does anyone know how I can achieve this? Many thanks in advance.
You're right, with the dedup it's better I'm glad we came to a solution together Happy splunking!
@unluakin  Refer this ERROR: IP address 127.0.0.1 not in server certificate. Please see server.conf/[sslConfig]/cliVerifyServerName for details. | Splunk Configure TLS certificate host name valida... See more...
@unluakin  Refer this ERROR: IP address 127.0.0.1 not in server certificate. Please see server.conf/[sslConfig]/cliVerifyServerName for details. | Splunk Configure TLS certificate host name validation for secured connections between Splunk software components | Splunk Docs
@malix_la_harpe  Many thanks for all advises. I've modified the query and added dedup - solution and seems to be working well. However what you proposed does the job as well. I really appreciate tim... See more...
@malix_la_harpe  Many thanks for all advises. I've modified the query and added dedup - solution and seems to be working well. However what you proposed does the job as well. I really appreciate time which you spend helping me! | makeresults | eval event_id=1000, username="test", Computer="xx1", _time=strptime("2025-06-30 16:26:27.01", "%Y-%m-%d %H:%M:%S.%N"), resource="example1" | append [| makeresults | eval event_id=1000, username="test", Computer="xx2", _time=strptime("2025-06-30 16:26:27.02", "%Y-%m-%d %H:%M:%S.%N"), resource="example2"] | append [| makeresults | eval event_id=1001, username="test", _time=strptime("2025-06-30 16:26:27.03", "%Y-%m-%d %H:%M:%S.%N"), resource="example3"] | append [| makeresults | eval event_id=1000, username="truc", Computer="yyy", _time=strptime("2025-06-30 16:26:29", "%Y-%m-%d %H:%M:%S"), resource="example2"] | append [| makeresults | eval event_id=1001, username="truc", Computer="yyy", _time=strptime("2025-06-30 16:26:32", "%Y-%m-%d %H:%M:%S"), resource="example3"] | sort _time | streamstats time_window=1s values(_time) as Time values(Computer) as Computer_name values(event_id) AS EventID, last(eval(if(event_id=1000,event_id,null()))) AS previous_event_id, count(eval(event_id)) as EventCount, last(eval(if(event_id=1000,_time,null()))) AS previous_time by username | dedup previous_time username sortby EventCount desc | eval status = if(EventCount>1,"SUCCESS","FAILURE") | table Time Computer_name EventID username resource status | sort Time
Until I install the ES on the enterprise platform I could connect via 127.0.0.1:8000 via secure https connection. However after the ES installation, https stops connecting and I have to connect throu... See more...
Until I install the ES on the enterprise platform I could connect via 127.0.0.1:8000 via secure https connection. However after the ES installation, https stops connecting and I have to connect through non-secure connection. Changing EnableWebSSL parameter to Yes or No does not have any impact. How can I connect secure to my NFR Enterprise environment? Thanks. Ugur
OK. If by "fresh" you mean "I had Splunk before on this machine but uninstalled it", this doesn't count as completely fresh as some data from the old installation might have been left. The error sugg... See more...
OK. If by "fresh" you mean "I had Splunk before on this machine but uninstalled it", this doesn't count as completely fresh as some data from the old installation might have been left. The error suggests some old KVstore contens lying around. If this is supposed to be a fresh install, I'd go for cleaning the computer completely from all leftovers - most importantly delete (or move away) old director C:\Program Files\Splunk. You could also remove old Splunk user and comb through the registry whether anything pertaining to Splunk was left. After that I'd rerun the installer with logging - see https://docs.splunk.com/Documentation/Splunk/9.4.2/Installation/InstallonWindowsviathecommandline#Install_Splunk_Enterprise_with_verbose_logging_to_C:.5CTEMP.5CSplunkInstall.log  
I removed all expired ingest based licenses and restarted the license manager, this removed all current warnings/alerts. So far I don't see any new warnings so (fingers crossed) everything is fine. F... See more...
I removed all expired ingest based licenses and restarted the license manager, this removed all current warnings/alerts. So far I don't see any new warnings so (fingers crossed) everything is fine. Feels good to hear that there were no obvious mistakes during install either. Yes, I can monitor resource usage from the monitoring console, hopefully I can get the "conversion equation" which Splunk uses to translate load towards our allowed allocation. Would be nice to be able to check before onboarding new sources. Thank you for the feedback, much appreciated.
@peterow  The error typically occurs when you're trying to add a Developer/Test license to a Splunk instance that is currently using a Production license stack. Splunk enforces license stack segrega... See more...
@peterow  The error typically occurs when you're trying to add a Developer/Test license to a Splunk instance that is currently using a Production license stack. Splunk enforces license stack segregation, meaning you can't mix Dev/Test licenses with Production ones.  If you're moving to a Dev/Test license (e.g., for a non-production environment), you need to remove the existing Production license first.  NOTE:- Only do this if you're sure the system should be running under a Dev/Test license. Removing a Production license from a live production system could cause compliance or functionality issues.
@peterow  Splunk normally doesn't allow mixing licenses from different subgroups in the same stack. SO if your license stack is production and you use Dev license, it may not allow. Remove all exis... See more...
@peterow  Splunk normally doesn't allow mixing licenses from different subgroups in the same stack. SO if your license stack is production and you use Dev license, it may not allow. Remove all existing licenses from the stack (including expired ones). Better restart Splunk Then add your dev license. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
I received the new license today. I tried both methods; upload Splunk.License file and Copy+Paste xml content. Both failed with this error message: Bad Request — web_1751612044.5449162.lic: fail... See more...
I received the new license today. I tried both methods; upload Splunk.License file and Copy+Paste xml content. Both failed with this error message: Bad Request — web_1751612044.5449162.lic: failed to add because: cannot add lic w/ subgroupId=DevTest:<my.email@mycompany.com> to stack w/ subgroupId=Production I have renewed license previously and this is not a lab test system. Appreciate any advise.    
@fatsug  Steps you did looks good, nothing is missing i believe. When your ingest-based license expired and was removed, Splunk likely reverted to the Free license which is 500MB/day and showing th... See more...
@fatsug  Steps you did looks good, nothing is missing i believe. When your ingest-based license expired and was removed, Splunk likely reverted to the Free license which is 500MB/day and showing the same on UI. The “Usage Report” tab is only meaningful for ingest-based licenses, so ignore this report tab as i don't think Splunk have any license usage report for resource based. For now to monitor resource usage better to use monitoring console only - Monitoring Console > Resource Usage: CPU Usage Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@tbarn005  Your props and transform looks ok. Make sure you are applying this to HF or Indexer not on the UF. Also add one more transform to filter out other noise. props.conf [source::E:\\SPLogs\... See more...
@tbarn005  Your props and transform looks ok. Make sure you are applying this to HF or Indexer not on the UF. Also add one more transform to filter out other noise. props.conf [source::E:\\SPLogs\\CLGDEVSPAPPSO1*] TRANSFORMS-debug = route_high_to_debug,drop_noise In transforms.conf [drop_noise] REGEX = . DEST_KEY = queue FORMAT = nullQueue Restart Splunk and check again. Also make sure you have new high category logs from this server. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
@sylviee_o  It appears there may be remnants from previous Splunk installations, and I’m assuming you’re running Windows. Please follow the steps below to ensure you completely remove any old Splun... See more...
@sylviee_o  It appears there may be remnants from previous Splunk installations, and I’m assuming you’re running Windows. Please follow the steps below to ensure you completely remove any old Splunk   -Open Services (services.msc), find Splunk and stop it -Go to Control Panel → Programs → Programs and Features ->Find Splunk and uninstall -Manually delete the Splunk installation directory (eg:  C:\Program Files\Splunk) -Clean Up the Windows Registry also, Open regedit and search for any remaining keys related to Splunk under and delete it       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\       HKEY_LOCAL_MACHINE\SOFTWARE\   Reboot your machine and try again with the latest Splunk Enterprise installation file.       Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!  
It is a fresh installation, and updating the previous version doesn't help either as I am getting same message. The debugging steps aren't clear to me, and the steps I have taken based on the instru... See more...
It is a fresh installation, and updating the previous version doesn't help either as I am getting same message. The debugging steps aren't clear to me, and the steps I have taken based on the instructions are not yielding any positive result for me.
Thank you for tour response. I installed the 9.4.2 version, but I am still getting the same error message as I shared earlier. Is there a step-by-step way to identify if the MSI log file is missing? ... See more...
Thank you for tour response. I installed the 9.4.2 version, but I am still getting the same error message as I shared earlier. Is there a step-by-step way to identify if the MSI log file is missing? I don't know what else to do or how to solve this problem. Thank you
As already said, don’t use any beta versions unless you are testing how that beta is working and you are eager to give feedback to splunk! Currently there are several beta 10 versions out. All those... See more...
As already said, don’t use any beta versions unless you are testing how that beta is working and you are eager to give feedback to splunk! Currently there are several beta 10 versions out. All those have separate testing periods and different features to test. You can see those versions on voc.splunk.com and there are instructions how you should install current license or is it already included into installation package. Also if there are several versions of independent beta, normally you must uninstall old and then starting from scratch with newer one.
In Splunk’s Slack user groups is an own channel for UCC. Maybe they could help you with this case? You can found it here https://splunkcommunity.slack.com/archives/C03SG3ZL4S1
There seems to be some nasty restrictions on this add on depending on what inputs you are using. Sometimes this leads that filtering some events away from streams is not so simple than docs said. Als... See more...
There seems to be some nasty restrictions on this add on depending on what inputs you are using. Sometimes this leads that filtering some events away from streams is not so simple than docs said. Also those docs are not enough clear in this use case (at least user like I, which isn’t a native English speaker). So could you tell more about your case, so we could better understand your issue? The minimum what we need to know is your environment  single node distributed environment and if, which kind of versions Is your splunk in azure or AWS or even somewhere other cloud one or more tenants which inputs you have configured and how probably something else is needed later
I agree with @PickleRick, don’t move and upgrade at same time! Also you shouldn’t upgrade directly from 8.2.x to 9.2.x. Only supported way is migrate over one version like 8.2-> 9.0 -> 9.2 etc. and y... See more...
I agree with @PickleRick, don’t move and upgrade at same time! Also you shouldn’t upgrade directly from 8.2.x to 9.2.x. Only supported way is migrate over one version like 8.2-> 9.0 -> 9.2 etc. and you must start your node(s) after upgrade to each separate versions. Splunk doesn’t support rollback of version upgrade. So uninstall version is not needed/suggested. Also you should check in Amz23 at least systemd startup settings as those are somehow different than in RHEL. Cgroups default is v2 which needs some parameter changes etc. Also if your environment needs IMDS its version has changed to v2. Probably doesn’t affect to you unless yo are using some old AWS ta?