All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Ok, you're mixing several things here. One thing is syslog - UFs don't send syslog. They can receive syslog (which is not advisable anyway to do directly on UF but that's a other story). They send d... See more...
Ok, you're mixing several things here. One thing is syslog - UFs don't send syslog. They can receive syslog (which is not advisable anyway to do directly on UF but that's a other story). They send data over so-called s2s protocol which might be embedded in http requests. UFs have their own load-balancing mechanism and you should be using that. Network-level load balancing won't work properly. If you expect your indexers set to change frequently you might use indexer discovery. This is all you should discuss with your Splunk environment architect.
Hi @Somesh , to send logs from Universal Forwarders to Indexers, you don't need to use a Load Balancer because Splunk has its own method to auto load balance data from UFs to IDXs. You have only to... See more...
Hi @Somesh , to send logs from Universal Forwarders to Indexers, you don't need to use a Load Balancer because Splunk has its own method to auto load balance data from UFs to IDXs. You have only to indicate in outputs.conf (on UFs) the autoloadbalance group and the destination Indexers. It's a different thing for syslogs: you need a Load Balancer to distribute load between receivers and manage fail over. One thing, if possible don't use Indexers to receive syslogs, but use two (or more) UFs with an rsyslog (or syslog-ng) receiver, in this way you separate input phase by parsing, merging, tipying and indexing phases. Ciao. Giuseppe
Transaction command will Group events based on the event content..  and will generate some extra fields like "closed_txn, eventcount, etc." In this case we have selected the starting event with cont... See more...
Transaction command will Group events based on the event content..  and will generate some extra fields like "closed_txn, eventcount, etc." In this case we have selected the starting event with content "Error occurred during message exchange"  and ending event with content "REQ\=INI".  If both the events are present then the generated field "closed_txn=1" will set, else closed_txn=0 will set.   Adding below condition only will show the events which doesn't have a pair (REQ=INI) event. In the above screenshot you can see the second event is actually a group of 2 events (closed_txn=1) and the first event is standing alone (closed_txn=0). Adding the below line to the search will only keep the event, for that REQ=INI not yet received in last 7 min (Please note: 'latest =-7m' added as early filter) | search closed_txn=0 The result will look like below, for that you can create an alert as you wish   I hope this is what you are looking for.    
Hi @Prashant , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Poi... See more...
Hi @Prashant , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @gcusello - Ah got it. Thank you so much.  
Hi @Prashant , from the inputlookup you don't have a timestamp _time. If you want the now() timestamp you can try in this way: | inputlookup dns.csv | dnsquery domainfield=domain qtype="A" answerf... See more...
Hi @Prashant , from the inputlookup you don't have a timestamp _time. If you want the now() timestamp you can try in this way: | inputlookup dns.csv | dnsquery domainfield=domain qtype="A" answerfield="dns_response" nss="10.102.204.52" | eval DateTine=strftime(now(),"%a %B %d %Y %H:%M:%S") | eval Status = case(isnotnull(dns_error), "UnReachable",1=1 , "Reachable") | table DateTime domain dns_response dns_error Status  Ciao. Giuseppe
Hi Team, I am using below query to get the DNS lookup query, everything is fine but I am not getting the time field aligned with my inputlookup query. If I remove the inputlookup and use the individ... See more...
Hi Team, I am using below query to get the DNS lookup query, everything is fine but I am not getting the time field aligned with my inputlookup query. If I remove the inputlookup and use the individual domain name then it works fine. however I would like to have the time as well along with my inputlookup data.   | makeresults | inputlookup append=t dns.csv | dnsquery domainfield=domain qtype="A" answerfield="dns_response" nss="10.102.204.52" | eval Status = case(isnotnull(dns_error), "UnReachable",1=1 , "Reachable") | eval DateTime=strftime(_time,"%a %B %d %Y %H:%M:%S") | table DateTime domain dns_response dns_error Status   Result is showing as -  DateTime domain dns_response dns_error Status Wed September 18 2024 11:57:19       Reachable   ns1.vodacombusiness.co.za 41.0.1.10   Reachable   ns2.vodacombusiness.co.za 41.0.193.10   Reachable   ns3.vodacombusiness.co.za - Could not execute DNS query: A -> ns3.vodacombusiness.co.za. Error: None of DNS query names exist: ns3.vodacombusiness.co.za., ns3.vodacombusiness.co.za. UnReachable
Hi @dhiraj , let me understand: if you have both the events (message and REQ=INI), running the first two items of my search, you should have two types of events (check this in the interesting field... See more...
Hi @dhiraj , let me understand: if you have both the events (message and REQ=INI), running the first two items of my search, you should have two types of events (check this in the interesting fields). So the following stats command, should give you type_count=2 (if both present) and type_count=1 if there's only one. If you have both the strings to search ("Error occurred during message exchange" and "REQ=INI") in two different events (as in your screenshots), you should have both the types; if not, check the strings to search and the eval condition. Ciao. Giuseppe
Hi Lawrence, can you please share your solution? A customer just asked us to collect audit logs from Marketing Cloud and we're trying to figure how to do it. Thanks a lot!   Marco
Hello everybody I want to confirm that the fix to Enable cgroup v2 on RHEL8 has solved the issue for us as well Regard, Harry
How can I verify this? How do I grant a specific user permission for all jobs? Does the user require particular capabilities or roles to search for a job? I noticed that someitmes the user has succes... See more...
How can I verify this? How do I grant a specific user permission for all jobs? Does the user require particular capabilities or roles to search for a job? I noticed that someitmes the user has successfully accessed the "/services/search/jobs" endpoint , but encountered issues when using the "/services/search/jobs/{searchid}" endpoint. Sometimes I got Unauthorizedon "/services/search/jobs" and sometimes got  Unauthorized on "/services/search/jobs/{searchid}"
Can you please elaborated a bit. Its not working  
Hi @gcusello  Stil I am getting same output with both situation. If I have only "Error occurred during message exchange" then also getting type_count=1 and type =message and when I have both keyword... See more...
Hi @gcusello  Stil I am getting same output with both situation. If I have only "Error occurred during message exchange" then also getting type_count=1 and type =message and when I have both keyword "Error occurred during message exchange" and "REQ=INI" than also type_count=1 and type =message FYI, I have not extracted any data, just monitoring data logs.  
Hi @dhiraj , are you sure that the REQ field is already extracted? otherwise you ha to search a different condition: index=your_index ("Error occurred during message exchange" OR "REQ=INI") earlie... See more...
Hi @dhiraj , are you sure that the REQ field is already extracted? otherwise you ha to search a different condition: index=your_index ("Error occurred during message exchange" OR "REQ=INI") earliest=-420s | eval type=if(searchmatch("REQ=INI"),"INI","Message") | stats dc(type) AS type_count values(type) As type | where type_count=1 AND type="Message" Ciao. Giuseppe
Try This: index="yourindex"  latest=-7m | transaction startswith="Error occurred during message exchange" endswith="REQ\=INI" keepevicted=true | search closed_txn=0
Hi @gcusello  I am checking for whole day for testing and it's giving me count as 1 and only type is message. But in actual we have  both keyword in data, which means no alert required.  
Hi @fahimeh , are you using xml or classif format? if xml, try using the classic format adding renderXML=0 to the inputs.conf. Ciao. Giuseppe
Hi @dhiraj , you have to change only the time period (7 minutes), then the search shoudl be correct: index=your_index ("Error occurred during message exchange" OR REQ="INI") earliest=-420s | eval t... See more...
Hi @dhiraj , you have to change only the time period (7 minutes), then the search shoudl be correct: index=your_index ("Error occurred during message exchange" OR REQ="INI") earliest=-420s | eval type=if(REQ="INI","INI","Message") | stats dc(type) AS type_count values(type) As type | where type_count=1 AND type="Message" using this search you select only events with your two conditions and using the eval and the stats you identify the presence of one or both the conditions. In your use case you want to fire the alert if there's the error message but there isn't the REQ=INI condition, the other conditions are excluded. Ciao. Giuseppe
Hi @gcusello  It's not working, we are monitoring log and Whenever the line Error occurred during message exchange and if REQ=INI line didn’t occur in last 7 minutes , it should trigger an alert. ... See more...
Hi @gcusello  It's not working, we are monitoring log and Whenever the line Error occurred during message exchange and if REQ=INI line didn’t occur in last 7 minutes , it should trigger an alert. With above search I am getting type_count=1 in both the condition, if “REQ=INI” is present and if not present.
Hello, Some of the logs coming from the Windows Universal Forwarder to Splunk show the following error in the message field for certain events: "Splunk could not get the description for this event.... See more...
Hello, Some of the logs coming from the Windows Universal Forwarder to Splunk show the following error in the message field for certain events: "Splunk could not get the description for this event." I have reviewed [https://community.splunk.com/t5/Getting-Data-In/Why-quot-FormatMessage-error-quot-appears-in-indexed-message-for/td-p/139980?_gl=1*1qz5els*_gcl_au*MjMzMzQwMzM3LjE3MjAzNTUzMDY.*FPAU*MjMzMzQwMzM3LjE3MjAzNTUzMDY.*_ga*MTExMjgzNTE2OC4xNzIwMzU1MzA2*_ga_5EPM2P39FV*MTcyNjY0MTY4NC4xNDQuMS4xNzI2NjQxODA1LjAuMC4xODMzMzUzNTE5*_fplc*T0RRcU4zWGc1THpWUFVQeVBxTTQ1T0JVanhWSVVpMmdLTVNzYjNMZSUyQjZUMXBEb0NsY3NTSm45MlpQaFVnbUtsR1MwQWdjdlVyM25peCUyRkozUnZmQ1UlMkJzUE9tSTBFd3kzbjV6diUyQmJoQzQxUlM5alphRUhIVXQ1V0I4M3hRZVElM0QlM0Q.] , but it doesn't solve the issue, as this problem only occurs for a few specific events at specific times. I am using Splunk version 9.2. What could be the issue?