All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

If I'm not mistaken, the license usage logs are generated by the cluster master, so you could try splitting by host. Otherwise have a look in the raw data for that source if there's any other identif... See more...
If I'm not mistaken, the license usage logs are generated by the cluster master, so you could try splitting by host. Otherwise have a look in the raw data for that source if there's any other identifier in there that helps you tell things apart.
Invalid key in stanza [clustermaster:one] in /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf, line 7: master_uri (value: https://<address>:8089). Invalid key in stanza ... See more...
Invalid key in stanza [clustermaster:one] in /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf, line 7: master_uri (value: https://<address>:8089). Invalid key in stanza [clustermaster:one] in /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf, line 8: pass4SymmKey (value: ***************************************). Invalid key in stanza [clustermaster:one] in /apps/splunk/splunk/etc/apps/100_gnw_cluster_search_base/local/server.conf, line 9: multisite (value: true)
| rex field=ports max_match=0 "(?<port>\d+)" | mvexpand port
Add-on you mentioned is deprecated best way would be to use Syslog.
You can use Splunk ODBC to fulfil this requirements, some references docs for you.
I have a sample data pushed to Splunk as below: Help me with Splunk query where I want only unique server names with final status as second column. compare both horizontally & vertically for each ser... See more...
I have a sample data pushed to Splunk as below: Help me with Splunk query where I want only unique server names with final status as second column. compare both horizontally & vertically for each server second column status, The condition is if any of the second column value is No for that server then consider No as final status for that server, if all the second column values are Yes for a Server, then consider that server final status as Yes. sample.csv: ServerName, Status, Department, Company, Location Server1,Yes,Government,DRDO,Bangalore Server1,No,Government,DRDO,Bangalore Server1,Yes,Government,DRDO,Bangalore Server2,No,Private,TCS,Chennai Server2,No,Private,TCS,Chennai Server3,Yes,Private,Infosys,Bangalore Server3,Yes,Private,Infosys,Bangalore Server4,Yes,Private,Tech Mahindra,Pune Server5,No,Government,IncomeTax India, Mumbai Server6,Yes,Private,Microsoft,Hyderabad Server6,No,Private,Microsoft,Hyderabad Server6,Yes,Private,Microsoft,Hyderabad Server6,No,Private,Microsoft,Hyderabad Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server7,Yes,Government,GST Council,Delhi Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Server8,No,Private,Apple,Bangalore Note : The Department, Location & Company is same for any given server, Only Server status differs for each row of the server. I already have a query to get the Final Status for a server. Below query gives me unique Final status count of each server. | eval FinalStatus = if(Status="Yes", 1, 0) | eventstats min(FinalStatus) as FinalStatus by ServerName | stats min(FinalStatus) as FinalStatus by ServerName | eval FinalStatus = if(FinalStatus=1, "Yes", "No") | stats count(FinalStatus) as ServerStatus But what I want is I have a 3 dropdown on the top of the classic dashboard where 1. Department 2. Company 3. Location   - Dropdown list  Whenever I select a department, or Company or Location from any of the dropdowns, I need to get the Final Status count of each server based on any of the fields search. For say, If Bangalore is selected from Location dropdown, I need to get the final status count for a servers. if i search a Company DRDO from dropdown, I should be able to get final status count for servers based on company. I think its like | search department="$department$" Company="$Company$" Location="$Location$" Please help with spunk query.
Can you try to add SSL CA Chain to below location and see if it works?   1) /opt/splunk/lib/python3.7/site-packages/certifi And 2) /etc/apps/<Add-on_folder>/lib/certify
Can you try to add SSL CA Chain to below location and see if it works?   1) /opt/splunk/lib/python3.7/site-packages/certifi And 2) /etc/apps/<Add-on_folder>/lib/certify  
Splunk Stream utilities KVStore Services, 500 ERROR says that App is not able to communicate with KVStore. you can try to make fresh install it will solve this ERRORs and Problem you are facing.
Hey @bharat55 Where it is installed ? OnPrem or Cloud ? you should’ve filed support case for such issues.
Hi PickleRick,  If I understand correctly, I either do all the parsing on the UF, or I remove everything from the UF and move the parsing to the indexer (IDX)?
In short, download the codebase from Github as a zip, then you can either install it from the GUI or extract the zip to $SPLUNK_HOME/etc/apps and restart Splunk.
@ta1 There are installation instructions in the README.md file in the Github repo: https://github.com/plusserver/collectd/blob/master/README.md#installation 
hello  I am getting a field port in event . ports="['22', '68', '6556']" how can i display them in separate rows.
@ITWhisperer ,   I have reposted the sample 2 sample logs with transactionID, Please consider the Channel as a field, the log pattern will be same but only the Channel and Transaction ID will get d... See more...
@ITWhisperer ,   I have reposted the sample 2 sample logs with transactionID, Please consider the Channel as a field, the log pattern will be same but only the Channel and Transaction ID will get different, So If Apply filter at Channel level its getting reflected the Level 1 Event only, Since there is no Channel event in remaining 3 events. I need to calculate whether the transaction is successfully passed at all level or failed in between.
Level: 1 Time:01/09/2024 12:00:00.230 call_headers: "{\"platform\":\"android\",\"user-agent\\"device-id\":\"380C71F2-6546-3340D56648g\",\"channel\":\"APP\"}" Channel:App call_severity: 1 log_env:... See more...
Level: 1 Time:01/09/2024 12:00:00.230 call_headers: "{\"platform\":\"android\",\"user-agent\\"device-id\":\"380C71F2-6546-3340D56648g\",\"channel\":\"APP\"}" Channel:App call_severity: 1 log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: dghhaxkhhjxh00765sg =========================================================================================================== Level: 2 Time:01/09/2024 12:02:00.230 http_status: 200 call_severity: 1 log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: dghhaxkhhjxh00765sg ========================================================================================================== Level: 3 Time:01/09/2024 12:00:10.220 Req_domain: https://google.com/purchaseproduct Req_method: POST log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: dghhaxkhhjxh00765sg ========================================================================================================== Level: 4 Time:01/09/2024 12:00:30.230 http_status: 200 Status:Completed log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: dghhaxkhhjxh00765sg
Level: 1 call_headers: "{\"platform\":\"android\",\"user-agent\\"device-id\":\"380C71F2-6546-3340D56648g\",\"channel\":\"web\"}" Channel:web call_severity: 1 log_env: test message: /api/subscrip... See more...
Level: 1 call_headers: "{\"platform\":\"android\",\"user-agent\\"device-id\":\"380C71F2-6546-3340D56648g\",\"channel\":\"web\"}" Channel:web call_severity: 1 log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: tdgdbdjkksolsksujj =========================================================================================================== Level: 2 http_status: 200 call_severity: 1 log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: tdgdbdjkksolsksujj ========================================================================================================== Level: 3 Req_domain: https://google.com/purchaseproduct Req_method: POST log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: tdgdbdjkksolsksujj ========================================================================================================== Level: 4 http_status: 200 Status:Completed log_env: test message: /api/subscriptiontypes/Prepaid/products/10669413a39dee7fcd8422d80826067b Function: /api/producttypes/Prepaid/products/10669413a39dee7fcd8422d80826067b tran_id: tdgdbdjkksolsksujj
Hi @fabiyogo1 , you can enable syslog from the IPS devices to be sent directly to splunk or to an intermediate syslog box and use splunk agents to forward it to an Indexer/HF based on how the set up ... See more...
Hi @fabiyogo1 , you can enable syslog from the IPS devices to be sent directly to splunk or to an intermediate syslog box and use splunk agents to forward it to an Indexer/HF based on how the set up is. 
Yes - see example here: https://docs.splunk.com/Documentation/SplunkCloud/latest/RESTTUT/RESTsearches#Example:_Create_a_search 
The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators. Navigate to the app "Splunk App for Looku... See more...
The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store. On the Lookups page, find the “user_realnames_lookup” file and edit it Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed. Ensure that the profiles no longer appear in the investigators section after the lookup update.