All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@yuanliu 01100011 was _not_ hex. It was binary for 0x63. That's why I'm completely confused by @smanojkumar 's explanation as to how the algorithm is supposed to work. Does it work on 16-bit integers... See more...
@yuanliu 01100011 was _not_ hex. It was binary for 0x63. That's why I'm completely confused by @smanojkumar 's explanation as to how the algorithm is supposed to work. Does it work on 16-bit integers only? Does it work on any length stream of data? Does it always produce 32-bit integers? Or does the result grow with the length of the argument? It's so badly specified...
@smanojkumar Can you confirm that results you are looking for are like the following? hex padded_binary nonzero_bits 0002 00000010 00000000 9 00200100 00000000 00000001 0010000... See more...
@smanojkumar Can you confirm that results you are looking for are like the following? hex padded_binary nonzero_bits 0002 00000010 00000000 9 00200100 00000000 00000001 00100000 00000000 13 16 01100011 00010001 00000000 00010000 00000001 0 12 24 28 This sounds like some data compression game.  I can't think of a practical reason to do this in SPL.  Is this some sort of homework? Anyway, here is a more or less literal way to interpret your instructions:     | eval idx = mvrange(0, len(hex) / 2) | eval reverse2hex = mvreverse(mvmap(idx, substr(hex, idx*2 + 1, 2))) | eval ASbinary=if(idx < 1, tostring(tonumber(reverse2hex,16),"binary"), mvmap(reverse2hex, tostring(tonumber(reverse2hex,16),"binary"))) | eval padded_binary = if(idx < 1, printf("%08d", ASbinary), mvmap(ASbinary, printf("%08d", ASbinary))) | eval reverse_bits = mvreverse(mvmap(padded_binary, split(padded_binary, ""))), position = -1 | foreach reverse_bits mode=multivalue [eval position = position + 1, nonzero_bits = if(<<ITEM>> == 0, nonzero_bits, mvappend(nonzero_bits, position))] | fields hex padded_binary nonzero_bits     Note mvreverse on padded binary is sort of expensive and can be avoided by arithmetics if there are lots of data. Here is the emulation of the three examples you give:     | makeresults format=csv data="hex 0002 00200100 01100011" ``` data emulation above ```     Apply the algorithm to this emulation gives the results tabulated at the top.  
Hi @Gregski11 , I don't know your infrastructure, but a Windows DS can be used without issues if you have to manage only Windows servers, if you want to manage Linux servers, using a Windows DS you ... See more...
Hi @Gregski11 , I don't know your infrastructure, but a Windows DS can be used without issues if you have to manage only Windows servers, if you want to manage Linux servers, using a Windows DS you lose the grants configurations so you cannot use scripts inputs. Anyway, all the Splunk servers should directly send their logs to the Indexers (also DS) and you can do this by GUI in [Settings > Forwarding and Receiving > Forwarding], setting up the destination Indexers. If you are using to deploy an outputs.conf to your managed servers, you can use it (uploading) without making a manual configuration (I prefer this solution, than manually manage!). You don't need to access conf files if you send clear text logs, if you are using a certificate (even if Splunk auto generated)), you need to manually modify a conf file. About how to configure inputs, I don't like to use the Settings > Inputs feature, because you need to manually manage it, it's better to use the same Splunk_TA_Windows that you deployed to the Windows Servers, and you can manually upload it, without accessing the CMD environment. Ciao. Giuseppe
The Deployment Servers should be connected to the indexers already so they can index their logs.  To tell the DSs what indexes are available, install the same indexes.conf file (in an app) that you ... See more...
The Deployment Servers should be connected to the indexers already so they can index their logs.  To tell the DSs what indexes are available, install the same indexes.conf file (in an app) that you put on the search heads.  That should let you select the desired destination index from the UI.  If that doesn't work, just edit inputs.conf (in an app).
so we have a rather complicated Splunk environment with an Index Cluster and about half a dozen search heads, and all that is fine and good, however I want to collect the Application logs from the Wi... See more...
so we have a rather complicated Splunk environment with an Index Cluster and about half a dozen search heads, and all that is fine and good, however I want to collect the Application logs from the Windows Event viewer on our two Splunk Deployment servers and I want that data to go into the central EventLog Index, however I do not see that as a choice in the pulldown on our two Deployment Servers like I do on our Search Head servers, and I forgot how to set that up we use Microsoft Windows 2019 to run all of our Splunks and I like to use the Web UI for as much as possible, though I aint afraid to touch the config text files, you know what I'm sayin' So in the Web UI on the Deployment servers I find this under Settings \ Data Inputs \ Local Event Log Collection and here I can select the Application, Security, and or System Event Logs just fine, however down below under the Index (Set the destination index for this source) section I only see the 15 local Indexes for that server and not those on our Index Cluster so is it wise to point the Deployment servers at our Index Cluster, and if so how do I accomplish this, or is there a better way to gather the Application log off the Deployment servers
OK. Fully honestly, I don't see the point in doing so. You're adding some synthetic zeros and then count something which will easily be divisible by 4 (because when you're preparing your bitstring he... See more...
OK. Fully honestly, I don't see the point in doing so. You're adding some synthetic zeros and then count something which will easily be divisible by 4 (because when you're preparing your bitstring he ones must be separated by multiplies of 4). You're doing some strange bit swapping (and it's completely inconsistent - your original example had something that resembled a 16-bits little-endian integer which you "converted" to 32-bit value and from my single bit 0x63 value you also built a 32-bit value but obviously in a different way). So, to be absolutely frank, it doesn't make much sense. A completely separate thing is why would you want to do it in splunk? (actually the easiest solution could be to implement an external lookup using a python script).
Best work around I've come to, and its not half bad considering that I don't have to deal with these long field names very often, is to right click>open in inspector (this is in Edge by the way) and ... See more...
Best work around I've come to, and its not half bad considering that I don't have to deal with these long field names very often, is to right click>open in inspector (this is in Edge by the way) and then drag the field name from the inspector to the editor of choice.
Hello @PickleRick ,    Sorry for the mistake!    I have edited in the post, Considering 0*63 is 01100011 Seperating the byte as with 2positions byte 0 - 01 -> 0000 0001 byte 1 - 10 -> 0... See more...
Hello @PickleRick ,    Sorry for the mistake!    I have edited in the post, Considering 0*63 is 01100011 Seperating the byte as with 2positions byte 0 - 01 -> 0000 0001 byte 1 - 10 -> 0001 0000 byte 2 - 00 -> 0000 0000 byte 3 - 11 -> 0001 0001 Combining it byte 3 byte 2 byte 1 byte 0 - 0001 0001 0000 0000 0001 0000 0000 0001 Counting the non zero postions  - 0, 12, 24, 28 These were the answers. please let me know if there are anything. Thanks in advance!
Hi @dural_yyz ,    Thanks for your reply! please look at this example as well, also we are having hex_code as a single field value, from that field we are seperating bit 1 and bit 2,  bit po... See more...
Hi @dural_yyz ,    Thanks for your reply! please look at this example as well, also we are having hex_code as a single field value, from that field we are seperating bit 1 and bit 2,  bit position of the least significant bit Another example Hex code - 00200100 Seperate 2 bytes each  00/20/01/00 4 Byte bitmask Byte 0: HEX = 00 -  0000 0000 Byte 1: HEX = 20 - 0010 0000 Byte 2: HEX = 01 - 0000 0001 Byte 3: HEX = 00 - 0000 0000 Byte 3 Byte 2 Byte1 Byte 0 - 0000 0000 0000 0001 0010 0000 0000 0000 calculate the non zero th position values from right side Byte combination  - 0000 0000 0000 0001 0010 0000 0000 0000 Position -                                                               16       13        ...9 8765  4321 At position 14 and 17, we got 1 while counting from right side. so the bit value is 13 and 16. thanks!
Hi @ITWhisperer , Thanks for your time! Here is an another example Another example Hex code - 00200100 Seperate 2 bytes each  00/20/01/00 4 Byte bitmask Byte 0: HEX = 00 -  0000 ... See more...
Hi @ITWhisperer , Thanks for your time! Here is an another example Another example Hex code - 00200100 Seperate 2 bytes each  00/20/01/00 4 Byte bitmask Byte 0: HEX = 00 -  0000 0000 Byte 1: HEX = 20 - 0010 0000 Byte 2: HEX = 01 - 0000 0001 Byte 3: HEX = 00 - 0000 0000 Byte 3 Byte 2 Byte1 Byte 0 - 0000 0000 0000 0001 0010 0000 0000 0000 calculate the non zero th position values from right side Byte combination  - 0000 0000 0000 0001 0010 0000 0000 0000 Position -                                                               16       13        ...9 8765  4321 At position 14 and 17, we got 1 while counting from right side. so the bit value is 13 and 16. yes,  bit position of the least significant bit is needed.., Thanks in Advance!
Another example Hex code - 00200100 Seperate 2 bytes each  00/20/01/00 4 Byte bitmask Byte 0: HEX = 00 -  0000 0000 Byte 1: HEX = 20 - 0010 0000 Byte 2: HEX = 01 - 0000 0001 Byte 3: HEX ... See more...
Another example Hex code - 00200100 Seperate 2 bytes each  00/20/01/00 4 Byte bitmask Byte 0: HEX = 00 -  0000 0000 Byte 1: HEX = 20 - 0010 0000 Byte 2: HEX = 01 - 0000 0001 Byte 3: HEX = 00 - 0000 0000 Byte 3 Byte 2 Byte1 Byte 0 - 0000 0000 0000 0001 0010 0000 0000 0000 calculate the non zero th position values from right side Byte combination  - 0000 0000 0000 0001 0010 0000 0000 0000 Position -                                                               16       13        ...9 8765  4321 At position 14 and 17, we got 1 while counting from right side. so the bit value is 13 and 16.
I did fix the restart issue But in the $HOME/attack_range/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml, the following stanza fails: - name: Run es post-instal... See more...
I did fix the restart issue But in the $HOME/attack_range/terraform/ansible/roles/splunk_server_post/tasks/install_enterprise_security.yml, the following stanza fails: - name: Run es post-install setup command: "/opt/splunk/bin/splunk search '| essinstall --ssl_enablement auto' -auth admin:{{ general.attack_range_password }}" become: yes async: 600 poll: 60   It seems that the OWNERSHIP OF THE splunk install path is either root or the uid/gid (10777) of the person that built the tar ball. How can I get the path ownership to be owned by my user (aradmin) ? Is this done with the "become:true" flag? Where do I need to update the scripts?
There was issue with key department for older version, after correcting that using eval, both solutions worked. thanks a lot guys.
That reason is new to me.  The app is supported by the developer.  Their contact info is on the splunkbase page.
these searches are showing the reason as "Relation '' is unknown. (2)" . Here I'm unsure what action that i need to perform here.
https://www.splunk.com/en_us/blog/platform/splunking-your-conf-files-how-to-audit-configuration-changes-like-a-boss.html?locale=en_us This will show you how to track conf file changes.  Earlier ques... See more...
https://www.splunk.com/en_us/blog/platform/splunking-your-conf-files-how-to-audit-configuration-changes-like-a-boss.html?locale=en_us This will show you how to track conf file changes.  Earlier questions wanted to change control on dashboards which are xml files so it wont work for those.
Usually, a search is skipped because of external factors (no resources), but a search will be skipped if it contains an error or if it's already/still running.  The Monitoring Console or CMC will tel... See more...
Usually, a search is skipped because of external factors (no resources), but a search will be skipped if it contains an error or if it's already/still running.  The Monitoring Console or CMC will tell the reason for the skips in the Scheduler Activity dashboard.  Fix the reason and the skips should stop.
This workaround does work for us: %SPLUNK_HOME%\etc\apps\introspection_generator_addon\local\server.conf [introspection:generator:resource_usage] disabled = true acquireExtra_i_data = false
Hi Team, We're getting skipped search alerts for all 3  Lookup Gen searches. How we can resolve this? Even though after disabling those searches we are still getting error for these searches. Your... See more...
Hi Team, We're getting skipped search alerts for all 3  Lookup Gen searches. How we can resolve this? Even though after disabling those searches we are still getting error for these searches. Your assistance is greatly appreciated. Lookup Gen - bh_sourcetype_cache broken_hosts Relation '' is unknown. (2) none 2 Lookup Gen - bh_host_cache broken_hosts Relation '' is unknown. (2) none 2 Lookup Gen - bh_index_cache broken_hosts Relation '' is unknown. (2) none
OK. This is confusing. You have four hexadecimal digits but they're little-endian so the resulting bit order (not byte, mind you; you're happily using the same word for both bits and bytes). But what... See more...
OK. This is confusing. You have four hexadecimal digits but they're little-endian so the resulting bit order (not byte, mind you; you're happily using the same word for both bits and bytes). But what the calculation should be based on? What do you want to achieve? You showed only one example which is a power of 2 so it gives you just one set bit in your whole 16-bit sequence. But what if you had 0x63 0x3A? 0x63 is 01100011, 0x3A is 00111010 As this is little-endian, the resulting bit-stream would be 00111010 01100011 And what now? You want the position of first non-zero bit from the right? And what does it have to do with "lookup"?