All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I've got some events I'm converting to metrics using mcollect with a scheduled report. Does anyone know how to get the metrics to store the original host from the logs instead of whichever indexer th... See more...
I've got some events I'm converting to metrics using mcollect with a scheduled report. Does anyone know how to get the metrics to store the original host from the logs instead of whichever indexer they get sent to? This is the query I'm using to populate the metrics:   sourcetype=mysourcetype host=* "Events to count" | bin _time span=1m | stats count AS _value BY _time, host | eval metric_name="My.Metric.Name" | mcollect index="prod_metrics"   The host field in the metrics ends up being a random indexer from our cluster. I know I could always rename host as server, but if possible I'd like to use the expected field name since all our other natively populated metrics are by host.
We are trying to configure an "environment"  in DLTK version 4 on Splunk 8.0.6 and cannot get the right combination of settings to work with a cloud based Kubernetes cluster (on linux).  Since this s... See more...
We are trying to configure an "environment"  in DLTK version 4 on Splunk 8.0.6 and cannot get the right combination of settings to work with a cloud based Kubernetes cluster (on linux).  Since this scenario is not explained in the git Admin manual documentation, I haven't been able to figure it out. Which fields are required/necessary to connect to a cloud based kubernetes cluster with certificates?  It's not clear which fields are needed, and which combination of fields we should use. The minikube and AWS settings don't seem to apply for this scenario. Do we need to enable an Ingress service on the cluster before connecting with DLTK?  I see node-port is set in the configuration already.  
Hi friends!   How to discard Windows events of type EventCode = 4663 from Splunk executables? Dismiss only Splunk-related events: SplunkUniversalForwarder \ bin \ splunk-powershell.exe splunk-r... See more...
Hi friends!   How to discard Windows events of type EventCode = 4663 from Splunk executables? Dismiss only Splunk-related events: SplunkUniversalForwarder \ bin \ splunk-powershell.exe splunk-regmon.exe splunk-admon.exe To reduce the consumption of the Splunk license. Example log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{}'/><EventID>4663</EventID><Version>1</Version><Level>0</Level><Task>12802</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-02-23T14:56:54.615235600Z'/><EventRecordID>835675728</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='10472'/><Channel>Security</Channel><Computer>DC01.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>DC01$</Data><Data Name='SubjectDomainName'>DC01</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>SymbolicLink</Data><Data Name='ObjectName'>\SHARE??\E:</Data><Data Name='HandleId'>0x94</Data><Data Name='AccessList'>%%4544</Data><Data Name='AccessMask'>0x1</Data><Data Name='ProcessId'>0x1fa8</Data><Data Name='ProcessName'>E:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe</Data><Data Name='ResourceAttributes'>-</Data></EventData></Event>   Thanks in advancend!   James \o/
The java agent was installed and it was reporting fine, but last week the server was down , and after the patching work was done, it was not reporting in AppD. AppD did not come back up when the serv... See more...
The java agent was installed and it was reporting fine, but last week the server was down , and after the patching work was done, it was not reporting in AppD. AppD did not come back up when the server came back up.  Please suggest.
Hi guys,   I have done my due diligence scouring internet forums and docs but can't seem to figure out how to tailor this sedcmd I'm using in this query to remove everything after host. This log is... See more...
Hi guys,   I have done my due diligence scouring internet forums and docs but can't seem to figure out how to tailor this sedcmd I'm using in this query to remove everything after host. This log is from a mainframe system and is broken in a funky manner. I am wanting to keep the host entry that is bolded but remove everything after this. Can I get someone to assist me with the sedcmd and explain how to apply this "wildcard" to everything in the log not just the line in question? Log: Feb 23 11:45:51.469604 host-qa log {start 1614098751.47494} {addr xx,xx.xx.194} {port 85488} {method GET} {url /statictest.html} {bytes 399} {status 200} {end 1614098751.461997} {host 88.10.30.7} Feb 23 11:45:51.469604 nstop-qa CommonLog: Feb 23 11:45:51.469604 nstop-qa 10.13.80.7 - - [23/Feb/2021:11:45:51 -0500] "GET /statictest.html HTTP/1.0" 200 399 Feb 23 11:45:51.470248 host-qa ' Feb 23 11:45:51.470248 host-qa      Query: basesearch | rex mode=sed field=_raw "s/{host.*//g" Results after I run this query   Feb 23 11:45:51.469604 host-qa log {start 1614098751.47494} {addr xx,xx.xx.194} {port 85488} {method GET} {url /statictest.html} {bytes 399} {status 200} {end 1614098751.461997} Feb 23 11:45:51.469604 nstop-qa CommonLog: Feb 23 11:45:51.469604 nstop-qa 10.13.80.7 - - [23/Feb/2021:11:45:51 -0500] "GET /statictest.html HTTP/1.0" 200 399 Feb 23 11:45:51.470248 host-qa ' Feb 23 11:45:51.470248 host-qa     
This doc, https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/ConfigureauthextensionsforSAMLtokens, says that SAML_script_azure.py ships with Splunk Enterprise.  It is nowhere to be found on ... See more...
This doc, https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/ConfigureauthextensionsforSAMLtokens, says that SAML_script_azure.py ships with Splunk Enterprise.  It is nowhere to be found on the 8.1 installations I have.  Anybody know where I can find it? I tried azureScripted.py in $SPLUNK_HOME/share/splunk/authScriptSamples but it is not the same.
Hello, I currently have an issue where the Time Picker I am using is not displaying anything unless I  specify All Time. Even then I still cannot see my most recent events.  The thing that baffles ... See more...
Hello, I currently have an issue where the Time Picker I am using is not displaying anything unless I  specify All Time. Even then I still cannot see my most recent events.  The thing that baffles me is that I am using that same dashboard on another system and it works perfectly fine, I can see the most recent events as they come in. I am using tokens for my time charts and passing in the time value from another dashboard, but I don't think that is the issue because If I click all time it works semi correct. Any suggestions? -Marco 
hi! how do i get Meraki data into Splunk cloud? Have installed the Meraki_TA app but it requires a UDP port set up to forward the data from the Meraki appliances however, dont seem to have this opti... See more...
hi! how do i get Meraki data into Splunk cloud? Have installed the Meraki_TA app but it requires a UDP port set up to forward the data from the Meraki appliances however, dont seem to have this option in Splunk cloud?
Does any one please have a short list of how tp run health checks on my Splunk Enterprise & ES daily. please share the SPL that applies.
Hi All. I am working on Splunk migration project which involves moving of Splunk instances to new servers. Till now I managed to document the steps of CM, Deployer and SHC clustering. I am unable to ... See more...
Hi All. I am working on Splunk migration project which involves moving of Splunk instances to new servers. Till now I managed to document the steps of CM, Deployer and SHC clustering. I am unable to find any detailed steps for Indexer clustering. Can anyone in this forum guide me with the procedure. In our environment Splunk is running with Indexer clustering(2 servers). Thanks !
I just installed Cisco Secure eStreamer Client (f.k.a Firepower eNcore) Add-On for Splunk 4.0.11 from splunkbase but do not see setup link for initial interface. After digging I found setup.xml is... See more...
I just installed Cisco Secure eStreamer Client (f.k.a Firepower eNcore) Add-On for Splunk 4.0.11 from splunkbase but do not see setup link for initial interface. After digging I found setup.xml is missing.  Any fix for this?  My splunk install is not in default location so during manual config it did throw lot of errors for openssl as well. I was finally able to configure it but wanted to see if setup page can be available in GUI.
Hello everyone I found a wierd bug in the cascading replication process. The shcluster captain says when he tries to replicate the bundle that the field content-length is too large (max is max int).... See more...
Hello everyone I found a wierd bug in the cascading replication process. The shcluster captain says when he tries to replicate the bundle that the field content-length is too large (max is max int). I think its the replication plan thats failing. I would like to know how can i use cascading replication and also if there is a way to determine the exact size of the knowledge bundle and its contents. Thank you very much                    
Hi All, Need help in a Splunk code. Below is the data am having and a sample Table how the output looks like. Input data:  From To Latency CATRC CACCO 43.94 CATRC CATRC 0 CATRC ... See more...
Hi All, Need help in a Splunk code. Below is the data am having and a sample Table how the output looks like. Input data:  From To Latency CATRC CACCO 43.94 CATRC CATRC 0 CATRC GBLCO 148.61 CATRC GBLHD 88.06 CATRC INMCO 283.96 CATRC CACCO 43.94 CATRC CATRC 0 CATRC GBLCO 148.61 CATRC GBLHD 88.06 CATRC INMCO 283.96   Required Output Table:    CACCO CATRC GBLCO GBLHD INMCO CACCO 0 43.94 167.54 131.97 305.64 CATRC 44.61 0 148.61 88.06 283.96 GBLCO 167.54 148.61 0 3.51 137.96 GBLHD 131.97 88.06 3.51 0 5.5 INMCO 305.64 283.96 137.96 5.5 0   Challenge in getting Code for both X and Y axis in the table.
Hello, I have an error in the "_internal" index (sourcetype=splunkd) on my search head. You see the error in the logs below :     02-23-2021 14:31:01.735 +0100 ERROR SearchOperator:datamode... See more...
Hello, I have an error in the "_internal" index (sourcetype=splunkd) on my search head. You see the error in the logs below :     02-23-2021 14:31:01.735 +0100 ERROR SearchOperator:datamodel - Error in 'DataModelEvaluator': Data model 'Cloud_Infrastructure' was not found. 02-23-2021 14:31:01.735 +0100 ERROR DataModelEvaluator - Data model 'Cloud_Infrastructure' was not found.      I don't understand we shoudn't use this data model, how can I find why/where the data model is called in order to delete or disable it ?
Hi,  I'm using the Nessus Data Importer (TA-nessus-json) I initially setup the script and ran - worked first time like a charm. I now seem to be getting the same error over and over, even when i re... See more...
Hi,  I'm using the Nessus Data Importer (TA-nessus-json) I initially setup the script and ran - worked first time like a charm. I now seem to be getting the same error over and over, even when i re-configure from scratch     using API keys for Login Traceback (most recent call last): File "nessus2splunkjson.py", line 247, in <module> hidarray = [int(i) for i in o.readlines()] ValueError: invalid literal for int() with base 10: ''   Anyone have any experience with this Add on and would know why this happens?   Not sure if @amorgado is still developing / maintaining this one
<Shipment Action> <ShipmentLines> <ShipmentLine PrimeLine="2" /> <ShipmentLine PrimeLine="3"/> <ShipmentLine PrimeLine="4"/> <ShipmentLine PrimeLine="1"/> </ShipmentLines> </Shipment Action>... See more...
<Shipment Action> <ShipmentLines> <ShipmentLine PrimeLine="2" /> <ShipmentLine PrimeLine="3"/> <ShipmentLine PrimeLine="4"/> <ShipmentLine PrimeLine="1"/> </ShipmentLines> </Shipment Action> in the above xml file i have to pick out the ShipmentLine count, some times ShipmentLine increases. I have tried different rex combination without luck, any suggestions. output: ShipmentLine=4 count  
Are there any API permissions to assign to the Splunk Add-on for Microsoft Cloud Services? I did grant the Active Directory Application read access as a role under IAM, but there is nothing in the do... See more...
Are there any API permissions to assign to the Splunk Add-on for Microsoft Cloud Services? I did grant the Active Directory Application read access as a role under IAM, but there is nothing in the documentation that states if API permissions for the app in Azure is needed at all. When I check the app's API permissions, the only right I see is for Microsoft Graph, User.Read with Type set to 'Delegated' and Description set to 'Sign in and read user profile'. Just wondering if any additional API permissions need to be assigned. Thx
Hello, I work as a performance test consultant for a client. I use gatling.io to generate load on applications and then collect and analyze various measurements: system measurements(CPU, memory, et... See more...
Hello, I work as a performance test consultant for a client. I use gatling.io to generate load on applications and then collect and analyze various measurements: system measurements(CPU, memory, etc.) and response times. I want to know if there's a way to "push" those measurements to Splunk. Thanks for your quick reply Samuel
Hi I have following file indexed rw-r--r-- 1 dmu interface 7206 Jan 27 01:46 a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg rw-r--r-- 1 dum  interface 366Jan 27 02:45 c+d.zpettime.abcdpd1fo.... See more...
Hi I have following file indexed rw-r--r-- 1 dmu interface 7206 Jan 27 01:46 a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg rw-r--r-- 1 dum  interface 366Jan 27 02:45 c+d.zpettime.abcdpd1fo.600.2.20210127020002.gpg. I need to capture only the following part from the filename  zpettime.abcdpd1fo.600 zgeypynd.pcsdatei.600 I am using this regex which is helping to capture only the filename from source i.e.a+b.zgeypynd.pcsdatei.600.gpg.1.20210127014546.gpg | rex field=source ".*\/(?<filename>.*)$" I want to extract after the first dot(.) till 600 number of the filename i.e. zgeypynd.pcsdatei.600 . Please help me with rex expression
Hi, In threat intel module when adding a new threat feed source, The feed contains also sha-256 and MD5 but I can map only one of them to the file_hash var, There is an option to map multiple fiel... See more...
Hi, In threat intel module when adding a new threat feed source, The feed contains also sha-256 and MD5 but I can map only one of them to the file_hash var, There is an option to map multiple fields into the same var?