Hi All, I want to extract the following word from sentence: nodeUrl=https://sappbos.aexp.com/odata.svc/v1.0/BlazeoData/UddsSappSupplierPymntAccpts? nodeUrl=https://merchantcompass.aexp.com/odata.svc/v1.0/BlazeoData/MerchantCompassLookups Can someone please guide me.

I am trying to get data into Splunk to show the members of the local / builtin windows groups. In particular "Administrators" and "Remote Desktop Users" Utilizing the Splunk Forwarder. I am using a WMI (WQL) query to do this via wmi.conf (C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\wmi.conf) This stanza currently works: (FYI: Fakenameofserver = hostname) disabled = 0 ## Run once per day ## edited interval = 86400 wql = ASSOCIATORS OF {win32_group.Domain="Fakenameofserver",Name="Administrators"} where assocClass=win32_groupuser Role=GroupCompOnent ResultRole=Partcomponent index = window I don't want to have to prefill the wql queries in the wmi.conf file with the server name on each server. How do i use an environmental or Splunk variable to replace "Fakenameofserver" with the name of the host the Splunk forwarder is running on. I have tried a number of combinations of $host, %host%, %servername%, %computername% etc etc. Everytime i restart the forwarder to force the query to run i don't get any data into splunk and the log file says: Error occurred while trying to retrieve results from a WMI query (error="Object cannot be found." HRESULT=80041002) (root\cimv2: ASSOCIATORS OF {win32_group.Domain="%VARIABLENAME%",Name="Remote Desktop Users"} where assocClass=win32_groupuser Role=GroupCompOnent ResultRole=Partcomponent)   Has anyone had success with this and can you suggest how i can get the stanza to resolve the variable into the value when it queries? Where should i define the variables (if required) and what syntax do i use when writing these in the wql query? Thanks for any suggestions.

hi why my background color property dont works while the font size property works? thanks   <row> <panel> <html> <style> <b> <font size="4" face="verdana" color="blue" background-color="white"> <center> </center> </font> </b> </style> </html> </panel> </row>  

Hello,  I'm currently working on configuring SSL from a UF sitting on a Windows server to a HF running on RHEL 7. I am using third party certs that I obtained from my lab windows PKI environment that has two tiers of CA (RootCA/SubCA) with the HF having a signed cert (.pem file) as well as each UF sharing a single cert that was signed by the same Subordinated CA. I've managed to successfully achieve/confirm this SSL connection is happening using the Validate your configuration doc by Splunk, but the configuration seems to contradict itself so I would appreciate some insight into where I may have gone wrong that resulted in this.  The contradiction is within the requireClientCert parameter on the Splunk HF, as well as the clientCert parameter on the Universal Forwarder. I have tested several times after restarting the Splunk service on both workstations and this connection ONLY works when I have both clientCert configured within the outputs.conf as well as requireClientCert = false. If either of these variables are changed or I remove the clientCert parameter (even though it should be technically not required) I have a connection error.  For example, with the configuration below, if I changed requireClientCert = true the entire connection would fail, even though I believe the clientCert .pem file is configured correctly.  My certificate chains for each host are as follows: HF:  adcs.pem (shared with clients via deployment server, to be used for sslRootCaPath parameter) <intermediate (subordinate/issuing) ca certificate> <root ca certificate> heavyforwarder01.pem (certificate chain to be used for serverCert parameter) <hf01.pem cert issued by subordinate ca> <decrypted rsa key> <subca_pub.pem> <rootca_pub.pem> UF:  server.conf sslRootCAPath = C:/path/to/adcs.pem universalforwarder01.pem (certificate chain to be used for clientCert parameter) <uf01.pem certificate issued by subordinate CA> <encrypted rsa key for cert> <subca_pub.pem> <rootca_pub.pem> Configuration for outputs.conf on Universal Forwarder: [tcpout] defaultGroup=splhf01 [tcpout:splhf01] disabled=0 server = splhf01.domain.local:9998 clientCert = C:\path\to\universalforwarder01.pem sslPassword = <redacted> useClientSSLCompression = true sslCommonNameToCheck = splhf01.domain.local sslVerifyServerCert = true Configuration for server.conf on Universal forwarder: [sslConfig] sslRootCAPath = C:\path\to\combined\adcs.pem   Configuration for inputs.conf on Heavy Forwarder/Indexer: [default] host = splhf01 [splunktcp:9997] disabled = 0 [splunktcp-ssl:9998] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/ssl/s2s/heavyforwarder01.pem requireClientCert = false sslVersions *,-ssl2 sslCommonNameToCheck = splhf01.domain.local Configuration for Heavy forwarder server.conf <..> [sslConfig] sslRootCAPath = /path/to/combined/adcs.pem <...>

Hi, all! How could I edit my search command in order to filter this table which will display the earliest time of the same value(Call_Session_ID)?  Here is my original search command: index="hkcivr" source="/appvol/wlp/DIVR01HK-AS01/applogs/progresshk.log*"| table Time Call_Session_ID  

I've installed Splunk as Standalone and I'm trying to run Splunk commands under /opt/splunk and they didn't work. My question is what is the path/folder that I should be at to run Splunk commands like:  splunk show splunkd-port splunk show web-port splunk show servername