All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I have a deployment server and deploy an app on an Universal Forwarder, like I usually do (Create an app folder -> create local folder -> write input.conf -> setup app, server class on DS, ti... See more...
Hello, I have a deployment server and deploy an app on an Universal Forwarder, like I usually do (Create an app folder -> create local folder -> write input.conf -> setup app, server class on DS, tick disable/enable app, tick restart Splunkd). But after make sure the log path and permission of the log file (664), I don't see the log forwarded.  I'm only manage the Splunk Deloyment but not the server that host universal forwarder so I asked the system team to check it for me. After sometime, they get back to me and said there is no change on the input.conf file. They have to manually restart splunk on the Universal Forwarder and after that I see the log finally ingested.  So I want to know if there is an app, or a way to check if the app or the input.conf was changed according to my config on the DS or not, I can't ask the system team to check for it for me all time time.  Thank you. 
I have checked in splunkd.log, haven't noticed any particular error or warning related to this. also web-ui log  
Hello, We are experiencing an issue with the SOCRadar Threat Feed app in our Splunk cluster. The app is configured to download threat feeds every 4 hours; however, each feed pull results in duplicat... See more...
Hello, We are experiencing an issue with the SOCRadar Threat Feed app in our Splunk cluster. The app is configured to download threat feeds every 4 hours; however, each feed pull results in duplicate events being downloaded and indexed. We need assistance in configuring the app to prevent this duplication and ensure data deduplication before being saved to the indexers.
Haven't noticved any particular error in splunkd.log / UI-access logs   
Since your last update on 21 Oct 2016 stating that Splunk Enterprise Security does not support multi-tenancy, what is the status right now? Does Splunk Enterprise Security is now support multi-tenancy?
This worked! Much appreciated, thank you.
Thank you for your reply. UDP 514 port was in use. I have  no idea why it is used by another process. So, I needed to use another port to receive packets from palo alto server. However I solved thi... See more...
Thank you for your reply. UDP 514 port was in use. I have  no idea why it is used by another process. So, I needed to use another port to receive packets from palo alto server. However I solved this problem. The firewalld daemon was blocking the packets coming in Splunk. I stopped the firewalld, and could search the palo alto logs. I go for the next step of issuing alerts from these logs.
Try these props.conf settings. [dolphin] SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+)\d\d:\d\d:\d\d\d DATETIME_CONFIG = current
Hey guys, so i was basically trying to set up Splunk to work with terminal (bad idea). ended up moving directories using the CLI and boom! doesn't work anymore, and i have no way to undo in the chan... See more...
Hey guys, so i was basically trying to set up Splunk to work with terminal (bad idea). ended up moving directories using the CLI and boom! doesn't work anymore, and i have no way to undo in the change via terminal. i tried deleting and redownloading from Splunk but doesnt work. please tell me someone has an answer or a way to reset the directories for the version i once had i had so much data and apps to practice with. P.S. even if there isnt a way to get my old version back, i still would like to know why its not working when i try to redownload a new instance.
I am setting up a monitor on the log file for my Dolphin Gamecube emulator. Dolphin and Splunk Enterprise are both running locally on my machine (Windows 11). Splunk is ingesting multiple lines per e... See more...
I am setting up a monitor on the log file for my Dolphin Gamecube emulator. Dolphin and Splunk Enterprise are both running locally on my machine (Windows 11). Splunk is ingesting multiple lines per event, and my hope is to get each line to ingest as a separate event. I have tried all kinds of different props.conf configurations including SHOULD_LINEMERGE, LINE_BREAKER, BREAK_ONLY_BEFORE, etc. I'll paste a sample of the log file below. In this example, Splunk is ingesting lines 1 & 2 as an event, and then 3 & 4 as an event. When I turn on more verbose logging, it will lump even more lines into an event, sometimes 10+ 21:23:310 Common\FileUtil.cpp:796 I[COMMON]: CreateSysDirectoryPath: Setting to C:\Users\whjar\mnt\file-system\opt\dolphin\dolphin-2409-x64\Dolphin-x64/Sys/ 21:23:323 DolphinQt\Translation.cpp:155 W[COMMON]: Error reading MO file 'C:\Users\whjar\mnt\file-system\opt\dolphin\dolphin-2409-x64\Dolphin-x64/Languages/en_US.mo' 21:24:906 UICommon\AutoUpdate.cpp:212 I[COMMON]: Auto-update JSON response: {"status": "up-to-date"} 21:24:906 UICommon\AutoUpdate.cpp:227 I[COMMON]: Auto-update status: we are up to date.  
No, the anchor is the pattern for the place in the text that you want to appear before and/or after the field you want extract. For example, if your event contain "Event of type X with user id: abc12... See more...
No, the anchor is the pattern for the place in the text that you want to appear before and/or after the field you want extract. For example, if your event contain "Event of type X with user id: abc123" and you wanted to extract the user id, you regex might be something like "X.* user id: (?<userid>\w+)". The "user id: " part would be the anchor for the field you are going to extract. You could also argue that the "X" is also an anchor as it ensures that the pattern will only match if the field being extracted from contains "X".
https://ideas.splunk.com/ideas/PLECID-I-670
Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "... See more...
Need help passing a token value from a Single Value Panel using the ( | stats count) in conjuction to the ( | rex field= _raw) command to a Stats Table panel.  I created a dashboard showing various "winevent" logs for user accounts (created, enabled, disabled, deleted, etc...)  Current search I have for my various Single Value panel using the stats command in my search is seen below. (for this example, I used the win event code 4720 to count of "User Account Created" on the network) and extracted the EventCode. Acct Enable: index="wineventlog " EventCode=4720 | dedup user | _rex=field _raw "(?m)EventCode=(?<eventcode>[\S]*)" | stats count Output gives me a Single Value Count for window event codes that = 4720 ignoring duplicate user records.    I am now trying to capture the extracted "eventcode" using a drilldown in a token for each respective count panel.  I have setup the token as: (Set $token_eventcode$ = $click.value$) in my drill down editor in my second query table.  Using that token, I want to display the respective records in a second query panel to display the record(s) info in a table as seen below:    Acct Enable: index="wineventlog " EventCode=$token_eventcode$ | table _time, user, src_user, EventCodeDescription As I am still learning how to use the rex command, having problems in this instance in capturing the EventCode from the _raw logs, setting it to the ($token_eventcode$) token in the Single Value County query and passing that value down through a token to the table while maintaining the stats count value.  Any assistance with be greatly appreciated.
Yeah i been testing on regex 101 seem to be some delta in how splunk processes the regex however. For example this is what i have so far https://regex101.com/r/95JbuG/1  but when i add another ... See more...
Yeah i been testing on regex 101 seem to be some delta in how splunk processes the regex however. For example this is what i have so far https://regex101.com/r/95JbuG/1  but when i add another event to this the regex stops working
In Regex 1, you seem to have .* backwards (*.) in two instances, where the one near the end is particularly problematic, so if you have: (%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited... See more...
In Regex 1, you seem to have .* backwards (*.) in two instances, where the one near the end is particularly problematic, so if you have: (%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited)*. Then it will match strings like %%1936, 0 or more times, so it will match events which don't include %%1936 or the other strings.  Try removing the *. near the end. Also I recommend testing the regex on a site like regex101.com to make sure your regex is working before you put it in your splunk config.
I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the... See more...
I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the containers with and without artifacts. My solution was to add a dummy artifact at the start of the playbook and then delete it near the end.
I am trying to route my windows security logs to another specified index but it has to meet certain criteria. EventCode has to be 4688 and the Token Elevation Level equals either %%1936, %%1938, T... See more...
I am trying to route my windows security logs to another specified index but it has to meet certain criteria. EventCode has to be 4688 and the Token Elevation Level equals either %%1936, %%1938, TokenElevationTypeDefault, TokenElevationTypeLimited. So far i have written these regular expressions 1. REGEX = ((?s).*EventCode=4688*.)((?si).*(%%1936|TokenElevationTypeDefault|TokenElevationTypeLimited)*.) 2. REGEX = EventCode=4688.*TokenElevationType=(%%1936|%%1938|TokenElevationTypeDefault|TokenElevationTypeLimited) When using 1, All eventcodes 4688 come to the specified index when i only wanted 1936 and 1938. I wanted to leave the %%1937 token in its original index. When using 2, no data at all comes to the index even though its seems to be a much simpler regex. What am i missing to ensure 4688 is properly filter using transforms and props?
That looks like a Palo Alto Networks sourcetype. This documentation implies that these sourcetypes were used in a Palo Alto Networks app that is out of date, but has links for upgrading to the new ap... See more...
That looks like a Palo Alto Networks sourcetype. This documentation implies that these sourcetypes were used in a Palo Alto Networks app that is out of date, but has links for upgrading to the new app: https://pan.dev/splunk/docs/tune-or-reduce-firewall-logs/ I would expect that at least one of the Palo Alto Apps would include a dashboard and field extractions for pan:* sourcetypes.
@iamchris as far as I know, there is nothing available yet, but its in the roadmap. (subject to change) Please refer: https://ideas.splunk.com/ideas/EID-I-1913 there is this app, that might help:... See more...
@iamchris as far as I know, there is nothing available yet, but its in the roadmap. (subject to change) Please refer: https://ideas.splunk.com/ideas/EID-I-1913 there is this app, that might help: https://splunkbase.splunk.com/app/6859 or https://splunkbase.com/app/4342/#/details Cheers! If you find this helpful,  Please UpVote.
Splunkflix   ...just kidding. There is not a successor available for Splunk TV, but many people are asking for it to be brought back or succeeded by a new version. If you add your votes to it on Sp... See more...
Splunkflix   ...just kidding. There is not a successor available for Splunk TV, but many people are asking for it to be brought back or succeeded by a new version. If you add your votes to it on Splunk Ideas, then it is more likely that the Splunk company will work on it. https://ideas.splunk.com/ideas/EID-I-1913