All Topics

Top

All Topics

HI, guys, I want to get logs from splunk to me socket.io Server but i receive BAD MESSAGE REQUEST error on socket.io server side.  I can receive data from splunk to simple socket but i need to use so... See more...
HI, guys, I want to get logs from splunk to me socket.io Server but i receive BAD MESSAGE REQUEST error on socket.io server side.  I can receive data from splunk to simple socket but i need to use socket.io with websocket and i am facing this issue can you guys help me to receive data from splunk to socket.io Server?
I wonder whats the best practice when working with JS in Dashboards. Im on Splunk Enterprise 8.2.1 Windows single Instance for learning. When i use a JS for just setting tokens its enough to <h... See more...
I wonder whats the best practice when working with JS in Dashboards. Im on Splunk Enterprise 8.2.1 Windows single Instance for learning. When i use a JS for just setting tokens its enough to <host>:<port>/<language>/_bump after changes But when i require a second JS inside my JS (separated JS for customview) i have to rename the second JS and restart splunkd service and then _bump.  _bump alone is not working neither /debug/refresh here What is the best practice there? How does splunk behave on different Systems? Our productive Splunk for example ist clustered on Linux servers.
Hi - We have been using OT to send data into a single Splunk install and it is working very well. I am now looking to move this to production and send the data for my Cluster. 3 indexers, but I ... See more...
Hi - We have been using OT to send data into a single Splunk install and it is working very well. I am now looking to move this to production and send the data for my Cluster. 3 indexers, but I am unsure how to tell the exporter to do this? In a forwarder I would give it the host and post of the 3 indexers, but how do I do this in an exporter? Configure the exportor exporters: otlp/aggregation: # push to the aggregator endpoint: ${AGGREGATOR_HOST}:${AGGREGATOR_PORT} insecure: true splunk_hec: # pushed to splunk token: "a04daf32-68b9-48b2-88a0-6ac53b3ec002" endpoint: "https://mx33456vm:8088/services/collector" source: "mx" sourcetype: "otel" index: "metrics_test" insecure_skip_verify: true Thanks for you help in advance
Hi Team,   Can  someone guide me how can I extract the logs from the below raw data: 1)Need to Extract the id 5d302144-3cab-387d-8e8c-2532a32b78fe 2) Need to Extract the Starting Time and the Sto... See more...
Hi Team,   Can  someone guide me how can I extract the logs from the below raw data: 1)Need to Extract the id 5d302144-3cab-387d-8e8c-2532a32b78fe 2) Need to Extract the Starting Time and the Stopping Time 2021-09-01 22:08:48,329 INFO [main] o.a.n.controller.StandardProcessorNode Starting SalesforceBulkAPIJobStatusProcessorV1[id=5d302144-3cab-387d-8e8c-2532a32b78fe] 2021-08-20 12:53:23,476 INFO [main] o.a.n.controller.StandardProcessorNode Stopping processor: SalesforceBatchJobStatusProcessor[id=11c59e11-4bc5-3bbb-9fea-3c12407f3aa2]   Can someone please guide me on this 
Hi Experts! ,                       Wondered if there was a way of doing this. I have a need to compare a timestamp of a log to an EPOCH time also on the same log line and show the Diff Example 20... See more...
Hi Experts! ,                       Wondered if there was a way of doing this. I have a need to compare a timestamp of a log to an EPOCH time also on the same log line and show the Diff Example 2021-10-05 04:49:10.138 [pool-1-thread-1] INFO order - [Pool]Book={inst=example,1=[],2=[feed-|time=1633427347600000000} Manually looking the difference is  2021-10-05 04:49:10.138 -(Standard time) 2021-10-05 04:49:07.600 -(EPOCH time) Difference 2.54 seconds Thanks in advance
Installing a new HF and getting the  UiHttpListener - Web UI disabled in web.conf [settings]; not starting message /opt/splunk/etc/system/local [splunk@ilissplfwd10 local]$ cat web.conf [settings... See more...
Installing a new HF and getting the  UiHttpListener - Web UI disabled in web.conf [settings]; not starting message /opt/splunk/etc/system/local [splunk@ilissplfwd10 local]$ cat web.conf [settings] splunkdConnectionTimeout = 300 #privKeyPath =/opt/splunk/etc/auth/amd_certificates/ilissplfwd05.key #serverCert = /opt/splunk/etc/auth/amd_certificates/ilissplfwd05.pem #privKeyPath = etc/auth/splunkweb/ilissplfwd05.key #serverCert = etc/auth/splunkweb/ilissplfwd05.pem # # enableSplunkWebSSL = true httpport = 8000 [splunk@ilissplfwd10 local]$ cat server.conf [general] serverName = ilissplfwd10 pass4SymmKey = $7$Byj9tE1Bz0uc/sXtMDIlSnuR96UpkmVZHEuj7i0giRrtt5r1zNk= [sslConfig] sslPassword = $7$SMjaRC7EGQjvqnX8xl9tkV+VzYcXdQ2rt0Ui0WCC8UzO3IJLqsJd8Q== [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder quota = MAX slaves = * stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free quota = MAX slaves = * stack_id = free [splunk@ilissplfwd10 local]$  
Hello folks, Has anyone of you made it work that you somehow update the sighting of an attribute in connected MISP instance? I have my MISP integrated to Splunk, IoC are being downloaded to TI fr... See more...
Hello folks, Has anyone of you made it work that you somehow update the sighting of an attribute in connected MISP instance? I have my MISP integrated to Splunk, IoC are being downloaded to TI framework. Based on this some correlation searches that are scheduled, TI-based notables triggers I am looking for a way how to get the feedback about TP/FP back to MISP. I am using MISP42Splunk app, which has an adaptive response action "Alert for sighting MISP attribute(s)"  but I cannot make it work. I was also trying to do it via some in-build MISP command without any success. Do you guy have implemented this feature of do you know some way to do it? Thanks!
Hello !! I am new to using splunk and would like to know if it is possible to edit a lookup file via Splunk REST API or lookup editor API ?  Thank y'all
Hello Splunkers, I have a HTML button on my splunk dashboard, i want a pop-up when i click that button. That Pop-up will have a splunk Query Output. Please find my below code: Button: <html> <bu... See more...
Hello Splunkers, I have a HTML button on my splunk dashboard, i want a pop-up when i click that button. That Pop-up will have a splunk Query Output. Please find my below code: Button: <html> <button class="btn btn-primary button2" style="margin-left: 950px; margin-top: -75px; position: absolute;" token="button">Report Of Killed Processes</button> </html> Button.js require([ 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/tableview', 'underscore', 'splunkjs/mvc', '/static/app/abcd/Modal.js', "splunkjs/mvc/simplexml/ready!" ], function(SearchManager, TableView, _, mvc, Modal) { $(".button2").on("click", function (e){ e.preventDefault() console.log(e) var myModal = new Modal("mod1", { title: "Movie Details", backdrop: true, keyboard: false, destroyOnHide: true, type: 'wide' }); myModal.body .append($('<p>Please find the movie details below</p><div id="modal_dtl_tabl"></div>')); $(myModal.$el).on("show", function() { setTimeout(function() { var epoch = (new Date).getTime() var modal_movie_dtl_srch = new SearchManager({ id: "modal_tbl_srch" + epoch, earliest_time: "@d", latest_time: "now", preview: true, cache: false, search: "|inputlookup kill_log.csv  |table *" }); var myCustomtable = new TableView({ id: "modal_example-table" + epoch, managerid: "modal_tbl_srch" + epoch, pageSize: "10", el: $("#modal_dtl_tabl") }).render(); }, 300) }); myModal.show(); }) });   Also i am using Modal.js from Splunk Dev For All, placed it in my app ABCD. Now when i click the button, nothing happens.
Hello I have logs that contains some string that i want to replace with ***  i want to to be permanent and not only in search time. is it possible ? p.s - i don't have the log files anymore so i ... See more...
Hello I have logs that contains some string that i want to replace with ***  i want to to be permanent and not only in search time. is it possible ? p.s - i don't have the log files anymore so i cannot delete and index again   thanks
Hey there, I am looking to Configure the Crowdstrike OAuth API app inside my SOAR instance. To connect to Crowdstrike it will require an account on the Crowdstrike Falcon instance. I cannot find ... See more...
Hey there, I am looking to Configure the Crowdstrike OAuth API app inside my SOAR instance. To connect to Crowdstrike it will require an account on the Crowdstrike Falcon instance. I cannot find anywhere in the Documentation which states what permissions are needed for this account. Crowdstrike details the permissions on it's website but nothing specific for the API actions which are part of the SOAR app. Any ideas?  
Hallo. can anyone please help me. i want search sourcetype for this IP 10.2.123.123 OR 22.222.222.22 OR 33.333.333.33 | stats count by sourcetype the result will be join result as a 3 IP above.... See more...
Hallo. can anyone please help me. i want search sourcetype for this IP 10.2.123.123 OR 22.222.222.22 OR 33.333.333.33 | stats count by sourcetype the result will be join result as a 3 IP above. i want the result like this 10.2.123.123 | 22.222.222.22| 33.333.333.33 SourctypeA   | SourcetypeA    | SourcetyeA SourcetypeB|  SourcetypeB   | SourcetypeB SourcetypeC| SourcetypeC   | SourcetypeC
Currently working on a project where instead of dedicating only a single instance of Splunk only for ES they actually have ES installed on every Search Head. From my experience in tinkering with "htt... See more...
Currently working on a project where instead of dedicating only a single instance of Splunk only for ES they actually have ES installed on every Search Head. From my experience in tinkering with "https://splunk-sizing.appspot.com/" any time I would pick ES for Search Heads, the automatic amount required for Indexer nodes gets trippled. I was just wondering maybe if this would help ease the critical pressure that is going on in the indexers at the moment. Thanks,  
https://answers.splunk.com/answers/562629/how-to-configure-pie-chart-to-display-count-within.html same as above post, would like to have a pie chart with its count, so followed the post and its work... See more...
https://answers.splunk.com/answers/562629/how-to-configure-pie-chart-to-display-count-within.html same as above post, would like to have a pie chart with its count, so followed the post and its work, it can show the Count in Pie Chart ... |stats count by sc_status |eval status_slice =sc_status+" - count:"+count   Beside, we still have a token to Pass the sc_status as 404/500/304... to customised search string in drilldown unfortunately, it's now passing sc_status as 304 - count:21088 instead of passing 304 to dilldown to search we click on it, which cause the search not working. <drilldown> <eval token="test">replace('click.value',"(\?&lt;=\d\d\d)(\?s)(.*\$)","")</eval> </drilldown> in drill down its not replacing the value as expexted would like to seek any way can fulfill both requirements ( Show Count in Pie Chart + Pass the correct Value to customised search)  
Hello, I'm Sahir Khan  I need a Helm chart for Splunk operator Deployment.
Hi  Can anyone please help with this extracting stats count by two fields.  I've below data in each transaction type                status A                    200 B                    400 C   ... See more...
Hi  Can anyone please help with this extracting stats count by two fields.  I've below data in each transaction type                status A                    200 B                    400 C                    200 B                    200 A                    200 B                    400 A                    500 C                    300   I need stats in below format type              status           count A                    200                 2 A                   500                  1 B                    200                 1 B                   400                 2                                   C                 200                   1  C                 300                   1   
Hi everyone, Long story in short. I am planning to migrate our Splunk Cluster from public cloud to on-prem with all the old data existing in the cloud, but transfer them from local storage to smart... See more...
Hi everyone, Long story in short. I am planning to migrate our Splunk Cluster from public cloud to on-prem with all the old data existing in the cloud, but transfer them from local storage to smart store, the new data will be streaming to the on-prem cluster with all the configuration (index name, users, apps, reports, alerts, dashboard, etc) unchanged, and we will keep the minimum "in-cloud cluster" up and running until the data aged out. that's why we want to move the data from local storage to smart store for cost saving Now, I have two requirement: 1 rename the index name when data is migrated to smart store, this will be used in case we need to "hook up" it with our new on-prem cluster, so we need the index name to be different then their previous name. 2 we have a few indexes were configured "maxDataSize = auto_high_volume", from smartstore document, it seems that we can only use "maxDataSize=auto", even if we re-config this to "auto", it won't re-size the existing buckets from 10G to 750M, my question is is there any way for us to just move these bucket into the smartstore, the purpose for us is just to retain these data until they expire, there won't be active search on these data. Thank you
Hi All, We are using DB connect app to pull the DB logs. When we set interval as 5 mins (interval = */5 * * * *)  I could see some logs are missing. When we set the interval as 1 minute - I could ... See more...
Hi All, We are using DB connect app to pull the DB logs. When we set interval as 5 mins (interval = */5 * * * *)  I could see some logs are missing. When we set the interval as 1 minute - I could see more logs Why is it so? For example: Log count on 6th of October (with 1 minute interval) -- 521 Log count on 6th of October (with 5 minute interval) -- 119
I have the following address, and I want to extract the substring. Address: 121, riverstreet, sydney, Australia. I want to extract 'sydney'. Help would be highly appreciated.
Hi all, Does the Rubrik app support Token authentication yet? Tks Linh