All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Here is an enhanced version of the dashboard which performs the actions you described (more or less). <form version="1.1" theme="light"> <label>Token-driven repetition save</label> <row> <pa... See more...
Here is an enhanced version of the dashboard which performs the actions you described (more or less). <form version="1.1" theme="light"> <label>Token-driven repetition save</label> <row> <panel> <table> <search> <query>| makeresults format=csv data="field value_1 value_2" | stats count as counter</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$result.counter$ &gt; 1"> <eval token="current">if($result.counter$ &gt; 0,$result.counter$,null())</eval> <set token="trace"></set> </condition> <condition> <set token="trace"></set> <unset token="current"/> </condition> </done> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table> <search> <query>| makeresults format=csv data="field value_1 value_2" | eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv", field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv")</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row> <panel> <table> <title>$current$</title> <search> <query>| makeresults format=csv data="field value_1 value_2" | eval spl=case(field="value_1","| inputlookup test_2.csv | search NOT field=\""+field+"\" | outputlookup test_2.csv", field="value_2", "| makeresults | eval field=\""+field+"\" | outputlookup append=t test_2.csv") | eval counter=$current$ | tail $current$ | reverse</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <condition match="$result.counter$ &gt; 1"> <set token="spl">$result.spl$</set> <eval token="current">if($result.counter$ &gt; 1,$result.counter$-1,null())</eval> </condition> <condition> <eval token="spl">if($result.counter$ &gt; 0,$result.spl$,null())</eval> <unset token="current"/> </condition> </done> </search> <option name="drilldown">none</option> </table> </panel> <panel> <table> <search> <query>$spl$</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="spl"></unset> </done> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>
Hi @danielbb  My understanding on this (and I'd also be pleased if someone can confirm!) is that api_lt and api_et represent the time parameters provided by the user in the time picker or API when r... See more...
Hi @danielbb  My understanding on this (and I'd also be pleased if someone can confirm!) is that api_lt and api_et represent the time parameters provided by the user in the time picker or API when running a search, but search_lt and search_et represent the actual earliest and latest time used by Splunk during the search execution. If the user specifies an earliest/latest in the search for example, this would override the time picker values (api_et/api_lt). If not earliest/latest in the search then search_et/lt become api_lt. I dont recall seeing docs around this though so if someone can find any please let me know  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Here is old answer for upgrade order of nodes in distributed environment. https://community.splunk.com/t5/All-Apps-and-Add-ons/Upgrading-Apps-and-Add-ons-in-distributed-environment/m-p/554548/highlig... See more...
Here is old answer for upgrade order of nodes in distributed environment. https://community.splunk.com/t5/All-Apps-and-Add-ons/Upgrading-Apps-and-Add-ons-in-distributed-environment/m-p/554548/highlight/true#M65820 Quite probably you can this with different order, but then you will gotten some warnings when you are running it before those are in correct versions.
@ramiiitnzv  To obtain a license for the Splunk Enterprise Security (ES) app, you need to purchase it from Splunk. https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/introductio... See more...
@ramiiitnzv  To obtain a license for the Splunk Enterprise Security (ES) app, you need to purchase it from Splunk. https://help.splunk.com/en/splunk-enterprise-security-8/user-guide/8.0/introduction/licensing-for-splunk-enterprise-security 
Are these fields mutually exclusive? I'm not sure about the relation between these four fields.
You must have a license to run ES before you can download it.  A Developer license does not grant access to ES.
I'm having Developer License but I'm unable to download the ES. Can any one help me in this.?
In addition to @kiran_panchavat, all the components support backward communication to n-3 Splunk versions in decreasing order of significance in architecture components. First tier is Management node... See more...
In addition to @kiran_panchavat, all the components support backward communication to n-3 Splunk versions in decreasing order of significance in architecture components. First tier is Management nodes like cluster manager, search head cluster deployer. Next would be components like Search Head, Indexer, and then comes the forwarders. 
I have a unique problem regarding SNMP and SPLUNK ITSI.First My VNF node was forwarding SNMP traps to SNMP target via SNMPv3 That target supports SNMP auto discovery so I don't had to manually config... See more...
I have a unique problem regarding SNMP and SPLUNK ITSI.First My VNF node was forwarding SNMP traps to SNMP target via SNMPv3 That target supports SNMP auto discovery so I don't had to manually configure ENGINID later I got the option of integrating my Node to SPLUNK ITSI and SC4SNMP whichi I did but intitially they didn't support EnginID auto discovery then I had Manually run the SNMPGET and provided the Engine ID for them.Now I am started sending my trap towards both the nodes ith same OID and ENgine ID.But My alarms are not getting to splunk index even though we will be able it capture it in the port of SC4SNMP.Later I found out that SPLUNkK ITST getting toe Same alarm same oid forwarded from the previous target.But this time target is using SNMPV2 and it sending as a community with a community string with few OIDs bundled together.Can this be the issue where my Nodes origina trap is not reaching the correct index?
To concur with the above answers, you would have to utilize a lookup file that lists out all of the sources you want to monitor. Natively, Splunk does not have a source = 0 events. (it doesn't know ... See more...
To concur with the above answers, you would have to utilize a lookup file that lists out all of the sources you want to monitor. Natively, Splunk does not have a source = 0 events. (it doesn't know what it doesn't know). In the environment we work in, we apply a siar approach but its based on host and whether the sources are coming in or not for our customers. | tstats values(source) as source, values(sourcetype) as sourcetype WHERE index=[index] [ | inputlookup [myHostLookup].csv | fields host ] by host | stats count, values(sourcetype) as sourcetype, values(source) as source by host | eval Reporting=if(isnull(source), "No Matching Sources", "Yes") | table host, Reporting, source, sourcetype --- If this reply helps you, Karma would be appreciated.
Hi @meg  Please can you confirm the sourcetype that you are using? Also, is this being read directly using a UF and sent to Splunk without going via other systems?  Are you ingesting this using th... See more...
Hi @meg  Please can you confirm the sourcetype that you are using? Also, is this being read directly using a UF and sent to Splunk without going via other systems?  Are you ingesting this using the Splunk Add-on for Sysmon for Linux on the UF?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @mbissante  Just a follow up on my previous post, the following are for 9.0.9 which was the last 9.0.x release: -------- Linux -------- -- Tarball (TGZ) wget -O splunk-9.0.9-6315942c563f-Linux-... See more...
Hi @mbissante  Just a follow up on my previous post, the following are for 9.0.9 which was the last 9.0.x release: -------- Linux -------- -- Tarball (TGZ) wget -O splunk-9.0.9-6315942c563f-Linux-x86_64.tgz 'https://download.splunk.com/products/splunk/releases/9.0.9/linux/splunk-9.0.9-6315942c563f-Linux-x86_64.tgz' wget -O splunkforwarder-9.0.9-6315942c563f-Linux-x86_64.tgz 'https://download.splunk.com/products/universalforwarder/releases/9.0.9/linux/splunkforwarder-9.0.9-6315942c563f-Linux-x86_64.tgz' -- Debian (DEB) wget -O splunk-9.0.9-6315942c563f-linux-2.6-amd64.deb 'https://download.splunk.com/products/splunk/releases/9.0.9/linux/splunk-9.0.9-6315942c563f-linux-2.6-amd64.deb' wget -O splunkforwarder-9.0.9-6315942c563f-linux-2.6-amd64.deb 'https://download.splunk.com/products/universalforwarder/releases/9.0.9/linux/splunkforwarder-9.0.9-6315942c563f-linux-2.6-amd64.deb' -- RHEL (RPM) wget -O splunk-9.0.9-6315942c563f.x86_64.rpm 'https://download.splunk.com/products/splunk/releases/9.0.9/linux/splunk-9.0.9-6315942c563f.x86_64.rpm' wget -O splunkforwarder-9.0.9-6315942c563f.x86_64.rpm 'https://download.splunk.com/products/universalforwarder/releases/9.0.9/linux/splunkforwarder-9.0.9-6315942c563f.x86_64.rpm' Kudos to ryanadler for this great tool https://github.com/ryanadler/downloadSplunk  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @mbissante  Below are the download links for 9.0.1 if this helps? Splunk Linux Tar file - https://download.splunk.com/products/splunk/releases/9.0.1/linux/splunk-9.0.1-82c987350fde-Linux-x86_64.... See more...
Hi @mbissante  Below are the download links for 9.0.1 if this helps? Splunk Linux Tar file - https://download.splunk.com/products/splunk/releases/9.0.1/linux/splunk-9.0.1-82c987350fde-Linux-x86_64.tgz Splunk Linux rpm file - https://download.splunk.com/products/splunk/releases/9.0.1/linux/splunk-9.0.1-82c987350fde-linux-2.6-x86_64.rpm Splunk Linux Debian file - https://download.splunk.com/products/splunk/releases/9.0.1/linux/splunk-9.0.1-82c987350fde-linux-2.6-amd64.deb Splunk Linux Windows file - https://download.splunk.com/products/splunk/releases/9.0.1/windows/splunk-9.0.1-82c987350fde-x64-release.msi  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi, I need to upgrade Splunk v.8.2.2.1 on RHEL 7.6 to Splunk v.9.4 on RHEL 9.6. I saw that Splunk 8.2 does not support RHEL 9.6 version and the customer cannot upgrade to RHEL 8.x. The only versio... See more...
Hi, I need to upgrade Splunk v.8.2.2.1 on RHEL 7.6 to Splunk v.9.4 on RHEL 9.6. I saw that Splunk 8.2 does not support RHEL 9.6 version and the customer cannot upgrade to RHEL 8.x. The only version of Splunk compatible with both versions of RHEL is Splunk 9.0, but it is impossible to download it directly from the splunk site. How can I download this older version? Thank you, Mauro
@RAVISHANKAR  Yes, a Splunk Enterprise Search Head running version 9.4.2 can communicate with Indexers running version 9.2.1. But It's recommended to upgrade all components to the same version to en... See more...
@RAVISHANKAR  Yes, a Splunk Enterprise Search Head running version 9.4.2 can communicate with Indexers running version 9.2.1. But It's recommended to upgrade all components to the same version to ensure full feature compatibility and support. Yes, UF 8.0.5 can still forward data to Splunk Indexers running 9.2.1 or 9.4.2. However, Splunk no longer provides full support for UF 8.0.x. Splunk Software Support Policy | Splunk  About upgrading to 8.0 READ THIS FIRST - Splunk Documentation
@meg Please verify your sourcetype, The Splunk Add-on for Sysmon for Linux supports the following source types: sysmon:linux 
Yes. The range of interoperability between UFs and receiving components (intermediate forwarders/indexers) is quite big. Even if the official documentation doesn't list something as supported, things... See more...
Yes. The range of interoperability between UFs and receiving components (intermediate forwarders/indexers) is quite big. Even if the official documentation doesn't list something as supported, things might just work. I've had UFs as old as 6.6 sending to version 9 indexers and it ran OK. There might be a minor issue with v9 UFs sending to older indexers because new UFs generate config change events which are supposed to go to indexes not present on older Splunk instances. The temporary walkaround for this is to disable the config tracker inputs on the UFs until the indexers are upgraded to v9. But even if you don't do that, they will generally work, it's just that those events will either land in your last chance index or will generate a warning about non-existent index and get dropped completely.
@meg  renderXml = false This setting is typically used in Universal Forwarder or inputs.conf for Windows Event Logs. If you're forwarding Linux logs, this setting might not be relevant unless you'... See more...
@meg  renderXml = false This setting is typically used in Universal Forwarder or inputs.conf for Windows Event Logs. If you're forwarding Linux logs, this setting might not be relevant unless you're using it in a specific context. Have you installed the below add-on to parse the data? Can you share your inputs.conf file here.  https://splunkbase.splunk.com/app/6652  https://docs.splunk.com/Documentation/AddOns/released/NixSysmon/Sourcetypes   
Hello, Planning to Upgrade Splunk Enterprise from version 9.2.1 to latest version 9.4.2 - So can a 9.4.2 latest version Search Head talk to 9.2.1 indexer? or we need to upgrade Indexers as well to s... See more...
Hello, Planning to Upgrade Splunk Enterprise from version 9.2.1 to latest version 9.4.2 - So can a 9.4.2 latest version Search Head talk to 9.2.1 indexer? or we need to upgrade Indexers as well to same version ? Also Splunk UF 8.0.5 will be able to talk to Indexers ? I read it will be able to talk but only we will not have splunk support for this versions and only we will have P3 support if any issues. Thanks
My linux logs cannot parsed in dashboard. My renderxml is setted to false