All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Neither is relevant.  Ingest rate applies to indexers, not search heads.
Hi @TahWee, Just in case: Did you email the address on the contact tab in Splunkbase? They are also active in the community and probably respond to direct messages. They are also easy to locate on... See more...
Hi @TahWee, Just in case: Did you email the address on the contact tab in Splunkbase? They are also active in the community and probably respond to direct messages. They are also easy to locate on LinkedIn by cross-referencing their name with Splunk and recent activity.
Thanks! Could you elaborate more on EPS OR GB/Day?
Ignore that warning (it's just a warning).  The important part is "Login failed", which means you used the wrong credentials.
When the biggest server available to you isn't enough for the search load then it's time for a SHC.
Just include X in the rex pattern with the correct relationship to the anchors for your field extraction | rex "X.*anchor1(?<field1>pattern1)" | rex "Y.*anchor2(?<field2>pattern2)"
@victor_menezes Which version of Splunk are you using that supports this syntax of rex?
index=someIndex [| makeresults | eval earliest=$token_epoch$ | eval latest=earliest+604800 | table earliest latest]
I am trying to deploy SH cluster, but when I run below command    ./splunk init shcluster-config -auth <username>:<password> -mgmt_uri <URI>:<management_port> -replication_port <replication_port> -... See more...
I am trying to deploy SH cluster, but when I run below command    ./splunk init shcluster-config -auth <username>:<password> -mgmt_uri <URI>:<management_port> -replication_port <replication_port> -replication_factor <n> -conf_deploy_fetch_url <URL>:<management_port> -secret <security_key> -shcluster_label <label>   But I am getting below error WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Login failed but when I do below config  I get below error [sslConfig] cliVerifyServerName = true sslVerifyServerCert = true ERROR: certificate validation: self signed certificate in certificate chain Couldn't complete HTTP request: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Hello, I am writing to ask from which point regarding the EPS OR Daily ingested GB/day and the number of users simultaneously access the search head. at what point should i consider a cluster searc... See more...
Hello, I am writing to ask from which point regarding the EPS OR Daily ingested GB/day and the number of users simultaneously access the search head. at what point should i consider a cluster search head cluster, as it will be (one-single SH ) OR (three SH + Deployer)? from your technical perspective?    
Hi Ryan, unfortunately, it did not work applying what is recommended in the doc you shared: C:\inetpub\wwwroot\wss\VirtualDirectories\{your-site} Add the CSP Header to the <httpProtocol> section o... See more...
Hi Ryan, unfortunately, it did not work applying what is recommended in the doc you shared: C:\inetpub\wwwroot\wss\VirtualDirectories\{your-site} Add the CSP Header to the <httpProtocol> section of the Web.config file. <system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value="script-src 'unsafe-inline' cdn.appdynamics.com; connect-src peum.kaska.com; img-src cdn.appdynamics.com; child-src cdn.appdynamics.com;" /> </customHeaders> </httpProtocol> </system.webServer> The application crashed and we had to rollback.  Notes: the agent is loaded successfully. Any other suggestions? Where else to look?
It's not about DBConnect itself. It's about JDBC, becaus that's what's responsible for the actual connection. See https://learn.microsoft.com/en-us/sql/connect/jdbc/setting-the-connection-properties ... See more...
It's not about DBConnect itself. It's about JDBC, becaus that's what's responsible for the actual connection. See https://learn.microsoft.com/en-us/sql/connect/jdbc/setting-the-connection-properties There is an interesting paragraph in authentication parameter description which might pertain to you.
Hi, I'm interested to know more about RBA Navigator, anyone have the communication method to Matt Snyder the app creator? I would like to know more information about the list of available features,... See more...
Hi, I'm interested to know more about RBA Navigator, anyone have the communication method to Matt Snyder the app creator? I would like to know more information about the list of available features, Use Cases (if possible), and installation guide. Thanks.
It's a bit more complicated than that. Data is not sent from UF as events (unless you're using indexed extractions), it's getting sent as chunks (which can cause issues if you have big events and don... See more...
It's a bit more complicated than that. Data is not sent from UF as events (unless you're using indexed extractions), it's getting sent as chunks (which can cause issues if you have big events and don't have event breaker configured properly). And it's actually the other way around - you want to have event breaker (not line breaker! since no line breaking happens on UF) set so that events are _not_ split between two different chunks. The cause for it is that two chunks of data can go to different outputs from the same group and end up on two different indexers. So even if there was a way to reassemble an event you wouldn't have anything to reassemble it from. Long story short - you want to make sure your events are _not_ getting split.
Hi, i am trying to use custom javascript file to customize some button actions in my dashboard, but it doesn't work and i don't know why. I'm using the last version of Splunk enterprise My custom s... See more...
Hi, i am trying to use custom javascript file to customize some button actions in my dashboard, but it doesn't work and i don't know why. I'm using the last version of Splunk enterprise My custom script is in the folder  $SPLUNK_HOME/etc/apps/app_name/appserver/static/. I have  tried to restart Splunk web, use the bumps button but nothing works. Can anyone help me?  Simple xml dashboard code <form version="1.1" theme="dark" script="button.js"> <search> <query> | makeresults | eval field1="test", field2="test1", field3="lll", field4="sgsgsg" </query> <earliest></earliest> <latest>now</latest> <done> <set token="field1">$result.field1$</set> <set token="field2">$result.field2$</set> <set token="field3">$result.field3$</set> <set token="field4">$result.field4$</set> </done> </search> <label>stacked_inputs</label> <fieldset submitButton="false" autoRun="true"></fieldset> <row> <panel> <title>title</title> <input id="test_input1" type="text" token="field1"> <label>field1</label> <default>$field1$</default> <initialValue>$field1$</initialValue> </input> <input id="test_input2" type="text" token="field2"> <label>field2</label> <default>$field2$</default> <initialValue>$field2$</initialValue> </input> <html> <style> #test_input2 { padding-left: 30px !important; } </style> </html> </panel> </row> <row> <panel> <input id="test_input3" type="text" token="field3"> <label>field3</label> <default>$field3$</default> <initialValue>$field3$</initialValue> </input> <input id="test_input4" type="text" token="field4"> <label>field4</label> <default>$field4$</default> <initialValue>$field4$</initialValue> </input> </panel> </row> <row> <panel> <html> <form> <div> <div> <label>Password</label> <input type="text" value="$field4$"/> <br/> <input type="password" id="exampleInputPassword1" placeholder="Password"/> </div> </div> <button type="submit" class="btn btn-primary">Submit</button> </form> <button onclick="test()">Back</button> <button onclick="test1()">Back1</button> <button id="back" data-param="test">Back2</button> </html> </panel> </row> </form> Javascript code As you can see i have tried different methods Thanks for your help.  
If WSUS writes events to event log or flat files, you can use the usual methods (wineventlog and monitor inputs) to obtain that data. WID is another story - it's an embedded component and cannot be ... See more...
If WSUS writes events to event log or flat files, you can use the usual methods (wineventlog and monitor inputs) to obtain that data. WID is another story - it's an embedded component and cannot be queried from remote so the only way to access it would be by some component installed directly on the WSUS server. The most obvious way to access a MSSQL database which is using DBConnect will fail however because Microsoft's JDBC driver for MSSQL is a pure-Java implementation and only uses TCP/IP connectivity. You could try using jTDS driver but this is unsupported and generally unexplored territory. In other words you're on your own here. You could also try using SQL Studio and tools contained therein to script some queries against database and write results to a file but again - I don't think that's something people do often and you're unlikely to find a ready-made solution. There is a third-party (not Splunk-supported) add-on and app for WSUS on Splunkbase but the add-on assumes connectivity to WSUS database using DBConnect (which means a WSUS setup with an external MS SQL instance). But you can look into it to find the queries you need if you decide to implement the ingestion process on your own.
They seem to correspond to different Carbon Black products: https://splunkbase.splunk.com/app/5775 - Carbon Black App Control (formerly Bit9) https://splunkbase.splunk.com/app/5774 - Carbon Black d... See more...
They seem to correspond to different Carbon Black products: https://splunkbase.splunk.com/app/5775 - Carbon Black App Control (formerly Bit9) https://splunkbase.splunk.com/app/5774 - Carbon Black defense https://splunkbase.splunk.com/app/5947 - Carbon Black Response https://splunkbase.splunk.com/app/6732 - VMware Carbon Black Cloud Which Carbon Black product are you using? If you have a contact with your Carbon Black license then perhaps you can ask them which is the most appropriate SOAR connector for your Carbon Black products. Or you could try your API keys on each product and see which one succeeds in its actions.
Thanx. I will create support case for this. Do you have old case id on your hands?
Hello, I have a WSUS server that is using the Windows Internal Database (WID). I would like to ingest WSUS service logs into Splunk, store them, and then parse them for further analysis. Could someo... See more...
Hello, I have a WSUS server that is using the Windows Internal Database (WID). I would like to ingest WSUS service logs into Splunk, store them, and then parse them for further analysis. Could someone guide me on the best approach to achieve this? Specifically: What is the best way to configure Splunk to collect logs from the WSUS service (and database if necessary)? Are there any best practices or recommended add-ons for parsing and indexing WSUS logs in Splunk? Thanks in advance for your help!
Hi @whipstash , add to the stats command, using the values option9 all the fields you need from both the searches: index=INDEX sourcetype=sourcetypeA | rex field=eventID "\w{0,30}+.(?<sessionID>\d+... See more...
Hi @whipstash , add to the stats command, using the values option9 all the fields you need from both the searches: index=INDEX sourcetype=sourcetypeA | rex field=eventID "\w{0,30}+.(?<sessionID>\d+)" | do some filter on infoIWant fields here | append [ search index=INDEX sourcetype=sourcetypeB | stats count AS eventcount earliest(_time) AS earliest latest(_time) AS latest BY sessionID | eval duration=latest-earliest | where eventcount=2 | fields sessionID duration field3 field4 ] | stats values(eventID) AS eventID values(duration) AS duration values(field1) AS field1 values(field2) AS field2 values(field3) AS field3 values(field4) AS field4 values(count) AS count BY sessionID Ciao. Giuseppe