All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank you for your input. Proofpoint does not much useful information about this product. We're planning to move away from it so it's not worth the effort. thank you for your input. 
Hi @mmg245 .. troubleshooting this depends on your custom app only.  the only troubleshooting that come to my mind is to check the internal logs for any warnings or errors related to the app or repo... See more...
Hi @mmg245 .. troubleshooting this depends on your custom app only.  the only troubleshooting that come to my mind is to check the internal logs for any warnings or errors related to the app or report.  if nothing works, if its ok, as a last troubleshooting step, maybe try restarting the Splunk, thanks
That's right. I never liked that solution either, and we have plans to move away from it in the near future. Thank you for your input. 
Hi, I am having some problem to understand How to fetch multiline pattern in a single event. I have logfile in which I am searching this pattern which is scattered in multiple lines, 12345678910... See more...
Hi, I am having some problem to understand How to fetch multiline pattern in a single event. I have logfile in which I am searching this pattern which is scattered in multiple lines, 123456789102BP Tank: Bat from Surface = #07789*K00C0**************************************** 00003453534534534 ****after Multiple Lines*** 123456789107CSVSentinfo:L00Show your passport ****after Multiple Lines*** 123456789110CSVSentinfo Data:z800 ****after Multiple Lines*** 123456789113CSVSentinfoToCollege: ****after Multiple Lines*** 123456789117CSVSentinfoFromCollege: ****after Multiple Lines*** 123456789120CSVSentinfo:G7006L ****after Multiple Lines*** 123456789122CSVSentinfo:A0T0 ****after Multiple Lines*** 123456789124BP Tank: Bat to Surface L000passportAccepted   I have tried below query to find all the occurrences but no luck index=khisab_ustri  sourcetype=sosnmega  "*BP Tank: Bat from surface = *K00C0*" |dedup _time |rex field=_raw "(?ms)(?<time_string>\d{12})BP Tank: Bat from Surface .*K00C0\d{21}(?<kmu_str>\d{2})*" |rex field=_raw "(?<PC_sTime>\d{12})CSVSentinfo:L00Show your passport*" |rex field=_raw "(?<CP_sTime>\d{12})CSVSentinfo Data:z800*" |rex field=_raw "(?<MTB_sTime>\d{12})CSVSentinfoToCollege:*" |rex field=_raw "(?<MFB_sTime>\d{12})CSVSentinfoFromCollege:*" |rex field=_raw "(?<PR_sTime>\d{12})CSVSentinfo:G7006L*" |rex field=_raw "(?<JR_sTime>\d{12})CSVSentinfo:A0T0*" |rex field=_raw "(?<MR_sTime>\d{12})BP Tank: Bat to Surface =.+L000passportAccepted*" |table (PC_sTime- time_string),(CP_sTime- PC_sTime),(MTB_sTime-CP_sTime),(MFB_sTime-MTB_sTime),(PR_sTime- MFB_sTime),(JR_sTime-PR_sTime),(MR_sTime-JR_sTime) Sample Data is Sample Data: 123456789102BP Tank: Bat from Surface = #07789*K00C0**************************************** 00003453534534534 123456789103UniverseToMachine\0a<Ladbrdige>\0a <SurfaceTake>GOP</Ocnce>\0a <Final_Worl-ToDO>Firewallset</KuluopToset>\0a</ 123456789105SetSurFacetoMost>7</DecideTomove>\0a <TakeaKooch>&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;&#32;</SurfaceBggien>\0a <Closethe Work>0</Csloethe Work>\0a 123456789107CSVSentinfo:L00Show your passport 123456789108BP Tank: Bat from Surface = close ticket 123456789109CSVSentinfo:Guide iunit 123456789110CSVSentinfo Data:z800 123456789111CSVGErt Infro"8900 123456789112CSGFajsh:984 123456789113CSVSentinfoToCollege: 123456789114CSVSentinfo Data:z800 123456789115CSVSentinfo Data:z800 123456789116Sem startedfrom Surface\0a<Surafce have a data>\0a <Surfacecame with Data>Ladbrdige</Ocnce>\0a <Ladbrdige>Ocnce</Final_Worl>\0a <KuluopToset>15284</DecideTomove>\0a <SurafceCall>\0a <wait>\0a <wating>EventSent</SurafceCall>\0a </wait>\0a </sa>\0a</Surafce have a data>\0a\0a 123456789117CSVSentinfoFromCollege: 123456789118CSVSentinfo:sadjhjhisd 123456789119CSVSentinfo:Loshy890 123456789120CSVSentinfo:G7006L 123456789121CSVSentinfo:8shhgbve 123456789122CSVSentinfo:A0T0 123456789123CSVSentinfo Data:accepted 123456789124BP Tank: Bat to Surface L000passportAccepted
Dashboard Studio working with Reports and Time Range @sainag_splunk  I am currently using the new dashboard studio interface, they make calls to saved reports in Splunk. Is there... See more...
Dashboard Studio working with Reports and Time Range @sainag_splunk  I am currently using the new dashboard studio interface, they make calls to saved reports in Splunk. Is there a way to have time range work for the dashboard, but also allow it to work with the reports? The issue we face is  we are able to set the reports in the studio dashboard, but the default is that they are stuck as static reports. how can we add in a time range input that will work with the dashboard and the reports? The users who are viewing this dashboard are third party and people that we do not want to give access to the Index (example... outside of the Org users) hence the reason the dashboard used saved reports where its viewable, but like I mentioned we faced the issue of changing the Time range picker since the saved reports are showing in a static, where we wish to make it  change as we specify a time range with the Input. we are trying to not give third party users access to Splunk Indexes Also tried looking into Embedded reports but found " Embedded reports also cannot support real-time searches."
Please share the source code of your dashboard in a code block </>
Yes, really but not 25k. My list is longer than 1000 entries and works just fine in classic dashboards. Users don't have to scroll through the whole list, they can start typing in the dropdown input ... See more...
Yes, really but not 25k. My list is longer than 1000 entries and works just fine in classic dashboards. Users don't have to scroll through the whole list, they can start typing in the dropdown input to filter the list.
i have had an error in the email logs and i have fized it and now im receiving emails correctly in my local mail server but still the alert when triggered it's not shown in the triggered alerts 
From the security standpoint token authentication doesn't differ from user/password authentication. It's still authentication with a static secret. You can't use SAML for REST API authentication. Y... See more...
From the security standpoint token authentication doesn't differ from user/password authentication. It's still authentication with a static secret. You can't use SAML for REST API authentication. You might want to think about integrating an external credentials provider like Conjur and rotating the tokens often
I don't think that's the issue here. The same payload sent to the /raw endpoint would end up looking the same. It's the source formatting the data differently than before.
That's one of the options. But "*/..." makes no sense. It's enough to just use ...
raw endpoint is not an option because it is not supported by the logging-operator
Thanks @PickleRick for suggestion.  Shall I use below config? [source::.../starflow-app-logs*/...]
* matches anything but the path separator 0 or more times. The path separator is '/' on unix, or '\' on Windows. Intended to match a partial or complete directory or filename. So for your ... See more...
* matches anything but the path separator 0 or more times. The path separator is '/' on unix, or '\' on Windows. Intended to match a partial or complete directory or filename. So for your props.conf stanza you should rather use ... recurses through directories until the match is met or equivalently, matches any number of characters.  
Nope, I only included it for clarity while writing this post; it’s not part of my actual configuration. Note: I have removed that part from my post as well.
Replace searchmatch(text1_value,"Load Balancer") with searchmatch("text1_value=\"*Load Balancer*\""), and so on.  BTW, rename is not needed for searchmatch because it accepts any syntax/shortcut that... See more...
Replace searchmatch(text1_value,"Load Balancer") with searchmatch("text1_value=\"*Load Balancer*\""), and so on.  BTW, rename is not needed for searchmatch because it accepts any syntax/shortcut that the search command accepts. (Like search, it also does case-insensitive match.)  For example, index=monitor name="Manager - Error" text2.value="*Rerun" text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now | stats count(eval(searchmatch("text1.value=\"*Load Balancer*\""))) AS LoadBalancer count(eval(searchmatch("text1.value = \"*Endpoints*\""))) AS Endpoints  
Token Authentication: This is definitely your best bet for security. You can create these through Splunk Web or via the API itself.  https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTt... See more...
Token Authentication: This is definitely your best bet for security. You can create these through Splunk Web or via the API itself.  https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTtoken HTTPS: Always, always use HTTPS for your API calls. It's a must for encryption. RBAC Make sure your API user or token only has the permissions it absolutely needs. Less is more when it comes to security! Create splunk roles and map accordingly. MFA: While Splunk supports MFA for user logins, it's not directly used for API calls. Instead, you'd set up MFA for the user generating the API tokens. https://docs.splunk.com/Documentation/SIM/current/User/SetupMFA SAML: If you're using SAML, you'll still use tokens for API access. SAML is more for the web interface. Tokens are usually the way to go for most scenarios. https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SetupuserauthenticationwithSplunk https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/UseAuthTokens   Hope this helps!
Do you see any more verbosity in the errors in the developer tools of your browser when making the upload, such as the network tab and the javascript console? Sometimes the errors there show more inf... See more...
Do you see any more verbosity in the errors in the developer tools of your browser when making the upload, such as the network tab and the javascript console? Sometimes the errors there show more information but on the website itself you are only given a generic error message.
Is that commented line " #to exract <team-id> from source" on the same line as the regex in your transforms.conf? If so, that should be on a separate line otherwise Splunk will consider it part of th... See more...
Is that commented line " #to exract <team-id> from source" on the same line as the regex in your transforms.conf? If so, that should be on a separate line otherwise Splunk will consider it part of the regex.
      b)   This is the search, correct? No.  You keep going back to "join", which everyone advises against.  Did you see that my example uses no "join"?  Also, please read sendmail syntax as @in... See more...
      b)   This is the search, correct? No.  You keep going back to "join", which everyone advises against.  Did you see that my example uses no "join"?  Also, please read sendmail syntax as @inventsekar posted. search1 | stats count | where count > 50000 | eval this = "search 1" | append [search2 | stats count | where count > 50000 | eval this = "search 2"] | append [search3 | stats count | where count > 50000 | eval this = "search 3"] | append [search 4 | stats count | where count > 50000 | eval this = "search 4"] | stats values(this) as message | sendmail to=mybox@example.com sendresult=true message="Exceeded 50000" If you cannot use sendmail (e.g., no MTA defined for Splunk), just get rid of the command and use alert. Bottom line: "join" will get you nowhere.