All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hey @sbel If you are using Splunk v9.3 then your app should be compatible with Python v3.9 by default. For temporary time you can try to use this if it can help you but for long term you have to m... See more...
Hey @sbel If you are using Splunk v9.3 then your app should be compatible with Python v3.9 by default. For temporary time you can try to use this if it can help you but for long term you have to make apps compatible to Python v3.9.0 $SPLUNK_HOME/etc/system/local/server.conf/[general]/python.version = python3.9
I have a saved search which is scheduled but it is not showing and not running at the scheduled time.
Hi @new2splunk21 , I see many different issues that maybe can be reconducted to the same one: are you sure that the indexers has the resources (storage) to receive all logs? because the message in ... See more...
Hi @new2splunk21 , I see many different issues that maybe can be reconducted to the same one: are you sure that the indexers has the resources (storage) to receive all logs? because the message in the last screenshot seems to indicate that there's an issue in the receiver and not in the Forwarder. Then, did you ever received logs from all the 5 forwarders? if not, maybe you used the same hostname in some forwarders. run a search on _internal to see if you have logs from all the forwarders: index=_internal Ciao. Giuseppe
Is this TA still being developed and supported? https://splunkbase.splunk.com/app/4950/ I followed the 'visit site' link on the splunkbase page and couldn't see the Enterprise version advertised?
The attempted code shows several misunderstandings, otherwise the regex can be fixed. Most importantly, you need to realize that table command does not perform evaluation.  It can only tabulate fie... See more...
The attempted code shows several misunderstandings, otherwise the regex can be fixed. Most importantly, you need to realize that table command does not perform evaluation.  It can only tabulate fields that already have value. Second, there are several obvious attempts to use asterisk (*) as wildcard in regex.  It is not.  In regex, * is a repetition token.  What you meant is perhaps .*.  So I made changes as such. Beside these, the first line in the sample also cannot match \d{21}\d2 because you used nonnumeric characters immediately after BP Tank: Bat from Surface = #07789*K00C0.  To make the following meaningful, I replaced those characters with numerals in the emulation.  What you should be using is perhaps something like   index=khisab_ustri sourcetype=sosnmega "*BP Tank: Bat from surface = *K00C0*" |rex max_match=0 "(?ms)(?<time_string>\d{12})BP Tank: Bat from Surface .*K00C0\d{21}(?<kmu_str>\d{2})*" |rex max_match=0 "(?<PC_sTime>\d{12})CSVSentinfo:L00Show your passport.*" |rex max_match=0 "(?<CP_sTime>\d{12})CSVSentinfo Data:z800.*" |rex max_match=0 "(?<MTB_sTime>\d{12})CSVSentinfoToCollege:.*" |rex max_match=0 "(?<MFB_sTime>\d{12})CSVSentinfoFromCollege:.*" |rex max_match=0 "(?<PR_sTime>\d{12})CSVSentinfo:G7006L.*" |rex max_match=0 "(?<JR_sTime>\d{12})CSVSentinfo:A0T0.*" |rex max_match=0 "(?<MR_sTime>\d{12})BP Tank: Bat to Surface .*L000passportAccepted.*" | eval PC_minus_timestring = (PC_sTime- time_string), CP_minus_PC = mvmap(CP_sTime, (CP_sTime- PC_sTime)), MTB_minus_CP = (MTB_sTime-CP_sTime), MFB_minus_MTB = (MFB_sTime-MTB_sTime), PR_minus_MFB = (PR_sTime- MFB_sTime), JR_minus_PR = (JR_sTime-PR_sTime), MR_minus_JR = (MR_sTime-JR_sTime) | table *_minus_*     The modified sample data will give CP_minus_PC JR_minus_PR MFB_minus_MTB MR_minus_JR PC_minus_timestring PR_minus_MFB 3 7 8 2 4 2 5 3 Some additional pointers You should not use dedup on _time.  If you need to do that, something is wrong with your event data.  Fix that first. rex command operates on _raw by default.  No need to specify. Some fields can have multiple matches.  I added max_match=0.  Read rex document about its options. Your sample data do not contain all fields you are trying to extract. Your sample SPL does not does not use kmu_str field that is extracted. Here is an emulation of modified sample data.  Play with it and compare with real data   | makeresults | eval _raw = "123456789102BP Tank: Bat from Surface = #07789*K00C012345678901234567890178 00003453534534534 123456789103UniverseToMachine\\0a<Ladbrdige>\\0a <SurfaceTake>GOP</Ocnce>\\0a <Final_Worl-ToDO>Firewallset</KuluopToset>\\0a</ 123456789105SetSurFacetoMost>7</DecideTomove>\\0a <TakeaKooch>&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;</SurfaceBggien>\\0a <Closethe Work>0</Csloethe Work>\\0a 123456789107CSVSentinfo:L00Show your passport 123456789108BP Tank: Bat from Surface = close ticket 123456789109CSVSentinfo:Guide iunit 123456789110CSVSentinfo Data:z800 123456789111CSVGErt Infro\"8900 123456789112CSGFajsh:984 123456789113CSVSentinfoToCollege: 123456789114CSVSentinfo Data:z800 123456789115CSVSentinfo Data:z800 123456789116Sem startedfrom Surface\\0a<Surafce have a data>\\0a <Surfacecame with Data>Ladbrdige</Ocnce>\\0a <Ladbrdige>Ocnce</Final_Worl>\\0a <KuluopToset>15284</DecideTomove>\\0a <SurafceCall>\\0a <wait>\\0a <wating>EventSent</SurafceCall>\\0a </wait>\\0a </sa>\\0a</Surafce have a data>\\0a\\0a 123456789117CSVSentinfoFromCollege: 123456789118CSVSentinfo:sadjhjhisd 123456789119CSVSentinfo:Loshy890 123456789120CSVSentinfo:G7006L 123456789121CSVSentinfo:8shhgbve 123456789122CSVSentinfo:A0T0 123456789123CSVSentinfo Data:accepted 123456789124BP Tank: Bat to Surface L000passportAccepted" ``` the above emulates index=khisab_ustri sourcetype=sosnmega "*BP Tank: Bat from surface = *K00C0*" ```    
Yes, different events. I am very initial stage of SPL hence trying to figure it out. TIA
Yes, they are multiple events.
Hi Splunk Community,  I am having issues with Splunk DB Connect 3.18.0 not sending data.  I was able to connect the db connect app to the database and query properly but no luck seeing the data... See more...
Hi Splunk Community,  I am having issues with Splunk DB Connect 3.18.0 not sending data.  I was able to connect the db connect app to the database and query properly but no luck seeing the data from splunk cloud. I am able to send other logs and data to Splunk cloud with no issues.  Thanks!
and under messages it s ays  
they're not showing up when i go to search and type index="host_audits"
Thanks for the clear info!
Universal Forwarder is a lighweight component you typically install on remote machines to - as the name suggests - forward the data to your "main part" of Splunk installation. But if you already have... See more...
Universal Forwarder is a lighweight component you typically install on remote machines to - as the name suggests - forward the data to your "main part" of Splunk installation. But if you already have full Splunk instance installed you don't need a UF (there are some border cases when such setup can be useful but makes the whole environment overly complicated). So if you're just starting with Splunk, it's enough to add local windows event log inputs on the Splunk server.
The forwarders are not listed where? Because forwarders may or may not be listed in several places depending on which functionalities you use. They can also not show up anywhere within the gui and st... See more...
The forwarders are not listed where? Because forwarders may or may not be listed in several places depending on which functionalities you use. They can also not show up anywhere within the gui and still be sending data and be functioning perfectly well. So what is the actual problem?
Ooh - that isn't necessary? Sorry, I'm new to Splunk. I was watching some tutorial on Udemy regarding Splunk and was following the guy who did the demo. After installing Splunk Enterprise, he star... See more...
Ooh - that isn't necessary? Sorry, I'm new to Splunk. I was watching some tutorial on Udemy regarding Splunk and was following the guy who did the demo. After installing Splunk Enterprise, he started talking about the "universal forwarder" and how to install it. I thought it was part of the whole... So it wasn't required?  
If this is a verbatim copy of your original event you have much more problems with your data.
First and foremost - why are you installing a UF when you already have a full Splunk instance? Just add input(s) there.
Never mind... I've stopped the universal forwarder-software, waited some second and restarted the forwarder. After this restart I performed a search (*)  and it immediately gave me some results. I... See more...
Never mind... I've stopped the universal forwarder-software, waited some second and restarted the forwarder. After this restart I performed a search (*)  and it immediately gave me some results. I then created a user in the PowerShell, and let Splunk search for the username, resulting in some lines regarding the user. So... eventually it works as it should...   With kind regards Gerd
Try FORMAT=$1 DEST=_MetaData:Index
The environment I'm monitoring has a large number of custom database metrics.  For those not familiar, these are queries run against the database by the appdynamics agent, that are then displayed in ... See more...
The environment I'm monitoring has a large number of custom database metrics.  For those not familiar, these are queries run against the database by the appdynamics agent, that are then displayed in custom dashboards.  This works great for us.  The problem is, our environment is complex, and frequently changing.  The Custom Metrics are currently maintained by hand (someone has to go in and modify them when the environment changes).  There is no import/export option in the UI.  I've read through the API that is available, but I'm not able to find a way to upload or download a custom database metric.  Alternately, is there a way to perform a variable substitution for the database server and value in the query? Anything that could make this less of a manual process.   Thanks
I'm trying to let Splunk Enterprise log some creation of a user on the same system as where Splunk is installed. My Splunk-version is 9.3.1. Alongside with this install, I've installed the latest Un... See more...
I'm trying to let Splunk Enterprise log some creation of a user on the same system as where Splunk is installed. My Splunk-version is 9.3.1. Alongside with this install, I've installed the latest Universal Forwarder (win) (on localhost 127.0.0.1). When installing: - I skip the SSL page - click "Next" - select "Local System" - click "Next" - check all items under "Windows Log Events" - click "Next" - generate an admin account and password - leave the "Deployment Server"-settings empty - enter "127.0.0.1:9997" as Host and port for "Receiving Indexer" - finish the installer Then I create a user (net user /add <user>) in CMD. After this step I return to Splunk Search and enter * as search criteria but nothing is found. Even when I enter the username (I added) the software finds nothing. Can someone tell me what I'm doing wrong or what the issue can be? Thanks! Gerd