All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

our Splunk received logs from Vmware workspace one (mobile device management (MDM)) as syslog messages. what is the source type  needed to be configured in inputs.conf or is there any addon to assis... See more...
our Splunk received logs from Vmware workspace one (mobile device management (MDM)) as syslog messages. what is the source type  needed to be configured in inputs.conf or is there any addon to assist In parsing? 
Thanks both of you - both work :-0)
Hi Hi Team, I am getting the below error message on my splunk ES search head. Is there any troubleshooting I can perform on the splunk web to correct this. Please help. PS. I don't have access to ... See more...
Hi Hi Team, I am getting the below error message on my splunk ES search head. Is there any troubleshooting I can perform on the splunk web to correct this. Please help. PS. I don't have access to the backend.  
Thx Giuseppe!
Thank you. I will use it as a reference. 
The upside to the Splunk-supported add-ons is that they have decent documentation. In this case it's https://splunk.github.io/splunk-add-on-for-palo-alto-networks/
Dynamic Alert recipient for test in detector mainly using custom properties in alert recipients tab in detectors. unable to crack that!
I've been in touch with support, this is a known issue and there's no plan to fix. There is a workaround that can be used:   | map [search index=_internal [| makeresults | eval earliest=$earliest$... See more...
I've been in touch with support, this is a known issue and there's no plan to fix. There is a workaround that can be used:   | map [search index=_internal [| makeresults | eval earliest=$earliest$, latest=$latest$ | return earliest, latest]     It's a bit longer and needs another subsearch, but can be easier than escaping everything.   Thanks everyone for their input @PickleRick @richgalloway 
Thank you for your reply. I will choose the Splunk-supported add-on.
Hi @tscroggins ,  Thanks for your reply, then do you perhaps know if they're any time-range args that work with input-dashboard ? Otherwise, should i use another method ?
Hi , I am facing the same issue and found this thread. Was the issue resolved ? Can you let me know the fix please if this is working for you now. Thanks
Hello All, Has anyone encountered a situation like this before? Thanks!
No. One is written by Palo Alto themselves - https://splunkbase.splunk.com/app/2757 It's the older one and it's now deprecated. The new one is written and supported by Splunk - https://splunkbase.s... See more...
No. One is written by Palo Alto themselves - https://splunkbase.splunk.com/app/2757 It's the older one and it's now deprecated. The new one is written and supported by Splunk - https://splunkbase.splunk.com/app/7523 Go for this one. As a rule of thumb if you have a choice between a Splunk-supported add-on and a third-party one use the Splunk-supported one.
Hi @dhineshv1 , OK, where is located the information if a currency is local or foreigner? I suppose that's related to the user account. So you could create a lookup containing the system users and... See more...
Hi @dhineshv1 , OK, where is located the information if a currency is local or foreigner? I suppose that's related to the user account. So you could create a lookup containing the system users and the related currency. Then an input with two options: local or foreigner. in local you could use the following expression: [ | rest /services/authentication/current-context | lookup your lookup.csv title OUTPUT Currency | table Currency ] instead in foreigner, you could use the following expression: NOT [ | rest /services/authentication/current-context | lookup your lookup.csv title OUTPUT Currency | table Currency ] In this way you can filter your search in this way: <your_main_search> $token$ | ... Ciao. Giuseppe
Hi @AliMaher , as also @PickleRick and @richgalloway said, the correct reference hardware and the number of SHs depends not only on the number of active users but mainly on the number of searches th... See more...
Hi @AliMaher , as also @PickleRick and @richgalloway said, the correct reference hardware and the number of SHs depends not only on the number of active users but mainly on the number of searches that you have in your infrastructure, with special attention to scheduled searches. In addition it depends also on the presence of Premium Apps like Enterprise Security or ITSI that use many scheduled searches. You can monitor the load on the SH using the Monitoring Console: if the load on the SH is too high, you can think to add another SH or increase the reference hardware (CPUs). The use of a Cluster depends on if you have the requirement of HA or not, not on the load on SH. In addition, when you monitor the performances of your infrastructure, remember to monitor also the load on Indexers because all the searches from SHs arrive on Indexers: you can monitor Indexers performaces using still the Monitoring Console. Anyway, the best approach is to analyze the requirements, in terms di indexed logs, scheduled searces,  active users and presence of Premium Apps with a Splunk Architect that can design the best architecture for your infrastructure. Ciao. Giuseppe
Hi, Thanks for responding, let me try to explain it clearly, Refer to the below table on how my data look like Currency Amount Card Brand JPY 100 XXX CNY 100 XYZ INR 100 UUU ... See more...
Hi, Thanks for responding, let me try to explain it clearly, Refer to the below table on how my data look like Currency Amount Card Brand JPY 100 XXX CNY 100 XYZ INR 100 UUU   1. I should have a dropdown name currency and list down 2 options, one will be Local (assume JPY is local here currency in this case), second option will be cross border   2. When i choose Local, then i need to show the result where the currency = JPY (this is straight forward one) Currency Amount Card Brand JPY 100 XXX   3. When i choose cross border, then i need to show the result where the currency ! = JPY (i.e all results except JPY as below) CNY 100 XYZ INR 100 UUU
Hi @kumva01 As you tagged Splunk Addon for Unix and Linux, i assume you are using this addon.  if yes, then the addon will take care of the sourcetype automatically. here is the list of sourcetypes... See more...
Hi @kumva01 As you tagged Splunk Addon for Unix and Linux, i assume you are using this addon.  if yes, then the addon will take care of the sourcetype automatically. here is the list of sourcetypes of the unix/linux addon: https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes and here is the list of pretrained sourcetypes: https://docs.splunk.com/Documentation/Splunk/9.3.1/Data/Listofpretrainedsourcetypes Pls suggest more details about your question, thanks. 
Hi @dhineshv1 , sorry but your request isn't so clear, let me summarize and correct me if there's somethinh wrong: you need to add a dropdown containing all the currecies present in your data, cho... See more...
Hi @dhineshv1 , sorry but your request isn't so clear, let me summarize and correct me if there's somethinh wrong: you need to add a dropdown containing all the currecies present in your data, choosing a currency from the dropdown, you want to use this currency near your value or what else? it's not clear "but my  query i should differentiate between local and foreign currency, for example user have to search by selecting 1st option as JPY and another option should list me all the other currency except JPY,", what do you mean? could you add a sampe of the output you whould? Ciao. Giuseppe
Hi All, We are in the process of onboarding logs from a centralized log server, where all endpoints forward their logs. We have installed a Splunk Heavy Forwarder on the server to monitor and forwar... See more...
Hi All, We are in the process of onboarding logs from a centralized log server, where all endpoints forward their logs. We have installed a Splunk Heavy Forwarder on the server to monitor and forward these logs to the Indexers. I would like to know if there are any default sourcetypes available for data sources such as systemd.log and sudo.log  
Yes, WhatsApp does offer the "WhatsApp Business API," which is a paid service designed for businesses to interact with their customers at scale. Unlike free platforms like Telegram or GroupMe, which ... See more...
Yes, WhatsApp does offer the "WhatsApp Business API," which is a paid service designed for businesses to interact with their customers at scale. Unlike free platforms like Telegram or GroupMe, which provide open Bot APIs for developers, WhatsApp's API has a cost and requires approval from Meta. This difference is why many developers prefer Telegram or GroupMe for creating bots, as they offer similar functionality without the upfront fees and restrictions of WhatsApp's Business API.