All Topics

Top

All Topics

My forwarder refuses to connect to the manager over 8089.  firewall is allowing traffic set deploy-poll is working and yet I cannot see the connection even be attempted via netstat on the splunk un... See more...
My forwarder refuses to connect to the manager over 8089.  firewall is allowing traffic set deploy-poll is working and yet I cannot see the connection even be attempted via netstat on the splunk universal forwarder (nix) UF ---> HF   here is my deploymentclient.conf [deployment-client] [target-broker:deploymentServer] #this was part of default after command was run deploymentServer=x.x.x.x:8089 targetUri = 10.1.10.69:8089  #this was part of default after command was run
I need to list which data sources have datamodels, I tried a few ways but none of them were effective, can you help me please. Best regards Valderlúcio.
I'm new to REX and trying to extract strings from _raw (which is actually a malformed JSON, so SPATH is not a good option either). I was able to create a REX to identify the pattern that I want (o... See more...
I'm new to REX and trying to extract strings from _raw (which is actually a malformed JSON, so SPATH is not a good option either). I was able to create a REX to identify the pattern that I want (or kind of). However, I'm having trouble establishing the correct boundaries. There is where my lack of experience with REX is showing. I cannot establish the end of my pattern correctly. I have pasted the expression that I'm using and a cleaned-up sample of the text I'm dealing with. | rex field=_raw "next\_best\_thing.+description(?<NBT>.+)topic" I thought this would identify the beginning of my pattern as next_best_thing (as it does) and the end after the first description and capture the Group (NBT) as \\\":\\\"Another quick brown fox jumps over the lazy dog.\\\"},{\\\" (just before the first topic). Naturally, a lot of clean-up would still be necessary but I would have something to work with. However, it seems that the search starts from the end of the _raw string, so the description that is being captured is in a different part and the Group becomes something completely different from what I intended to (\\\":\\\"A third quick brown fox jumps over the lazy dog\xAE Bla Bla BlaBla?\xA0 And a forth The quick brown fox jumps over the lazy dog.\\\"},{\\\"). Also, if the expression is just | rex field=_raw "next\_best\_thing.+description(?<NBT>.+)", omitting the end boundary (TOPIC), the whole pattern changes, with completely different description being used as the end boundary. And naturally the Group changes completely. The latter reinforces the impressions that the searches are being performed from the end of _raw. Is there a way to change the search direction? Or am I even more wrong / lost than I think on how to establish the boundaries for pattern and group? "BlaBla_BlaBla_condition\\\":\\\"\\\",\\\"OtherBla\\\":{\\\"description\\\":\\\"The quick brown fox jumps over the lazy dog\\\",\\\"next_best_thing\\\":[{\\\"topic\\\":\\\"Target Public\\\",\\\"description\\\":\\\"Another quick brown fox jumps over the lazy dog.\\\"},{\\\"topic\\\":\\\"Benefit to Someone\\\",\\\"description\\\":\\\"A third quick brown fox jumps over the lazy dog\xAE Bla Bla BlaBla?\xA0 And a forth The quick brown fox jumps over the lazy dog.\\\"},{\\\"topic\\\":\\\"Call to Something\\\",\\\"description\\\":\\\"The fith quick brown fox jumps over the lazy dog.\\\"}]}},\\\"componentTemplate\\\":{\\\"id\\\":\\\"tcm:999-111111-99\\\",\\\"title\\\":\\\"BlaBlaBla_Bla_Bla\\\"},\\\"ia_rendered\\\":\\\"data-slot-id=\\\\\\\"BlaBlaBla\\\\\\\" lang=\\\\\\\"en\\\\\\\" data-offer-id=\\\\\\\"BLABLABLABLABLABLA\\\\\\\" \\\"}\",\"Rank\":\"1\"},\"categoryName\":\"\",\"source\":\"BLA\",\"name\":\"OTHETHINGSHERE_\",\"type\":null,\"placementName\":\"tvprimary\",\"presentationOrderWitinSlot\":1,\"productDetails\":{\"computerApplicationCode\":null,\"productCode\":\"BLA\",\"productSubCode\":\"\"},\"locationProductCode\":null,\"locationProductSubCode\":null,\"priorityWithInProductAndSubCode\":null}],\"error\":null},\"custSessionAvailable\":false},\"ecprFailed\":false,\"svtException\":null}"
HIi @ITWhisperer  index=foo sourcetype=json_foo source="az-foo" |rename tags.envi as env |search env="*A00001*" OR env="*A00002*" OR env="*A00005*" OR env="*A00020*" |table env from the fields... See more...
HIi @ITWhisperer  index=foo sourcetype=json_foo source="az-foo" |rename tags.envi as env |search env="*A00001*" OR env="*A00002*" OR env="*A00005*" OR env="*A00020*" |table env from the fields i am using: env="*A00001*" as "PBC" env="*A00002*" as "PBC" env="*A00005*" as "KCG env="*A00020*" as "TTK" reference:   From this SPL, i am trying to create a table like ------------------------------------------------------ PBC           |            KCG           |           TTK ------------------------------------------------------- all values       all values                 all values count                count                       count  
Hello all, I have a problem with my configuration smtp. When I send e-mail I get this error : 2024-02-14 16:44:15,213 +0100 ERROR cli_common:482 - Failed to decrypt value: ********************... See more...
Hello all, I have a problem with my configuration smtp. When I send e-mail I get this error : 2024-02-14 16:44:15,213 +0100 ERROR cli_common:482 - Failed to decrypt value: ***************************=, error: Read custom key data size=30 Someone has an idea?
Hi, I had an add-on built using add-on builder  last year and it was working. In January I rebuilt it using the latest version of Add-on builder and it started failing with  CERTIFICATE_VERIFY_FAIL... See more...
Hi, I had an add-on built using add-on builder  last year and it was working. In January I rebuilt it using the latest version of Add-on builder and it started failing with  CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate I did not made any change on our add-on other than adding some extra logs. Does anyone know what changed in Add-On builder latest 4.1.4 version that it started failing? I will appreciate any help in troubleshooting this issue
Hello, Our application is not working anymore after upgrading from 9.0.7 to 9.1.2. We have a dashboard made in html and we were including it in a simplexml dashboard. It's not working because in 9.... See more...
Hello, Our application is not working anymore after upgrading from 9.0.7 to 9.1.2. We have a dashboard made in html and we were including it in a simplexml dashboard. It's not working because in 9.1.2 jquery libraries older than 3.5 are not supported anymore. Is there a workaround for this matter except rewriting the application in dashboard studio? It's a complex  application and we have multiple dashboards like this one.  <view template="app:/templates/TUBE-MAP.html"> <label>App name</label> </view>
Hi Team,    Currently we are installed the Splunk DB app in Heavy Forwarder, How to Connect this app from Heavy Forwarder to Splunk Cloud Search Head+Indexer server ?
Hi Community, Just a quick question to see if this is an issue that anyone else has experienced, do you have problems with the Splunk daemon not communicating properly with the other members of a cl... See more...
Hi Community, Just a quick question to see if this is an issue that anyone else has experienced, do you have problems with the Splunk daemon not communicating properly with the other members of a cluster and deployment because of a NIC teaming issue? Our Splunk (Windows) hosts have servers with dual NIC cards, for whatever reason, in an active-active configuration Splunk does not know how to communicate. The underlying host is up and functional, and the local instance of splunkd appears to be running, but communicating between nodes is nil until the teaming is moved to active-standby or one of the NICs is disabled.
New Splunk instance throwing error after deploying apps. Please help   Root Causes --V events from tracker.log have not been seen for the last 2190 seconds which is more than the red threshold   ... See more...
New Splunk instance throwing error after deploying apps. Please help   Root Causes --V events from tracker.log have not been seen for the last 2190 seconds which is more than the red threshold   LOG --v TIME (happening multiple times a millisecond) -0500 INFO Tailing Processor [MainTrailingThread] adding watch on path:/opt/splunk/*
I'm looking for support on my $xmlregex Blacklist. I have checked as many previous tickets as I can and I'm still stuck. It works when I put the events into regex101 which is why I'm so confused. T... See more...
I'm looking for support on my $xmlregex Blacklist. I have checked as many previous tickets as I can and I'm still stuck. It works when I put the events into regex101 which is why I'm so confused. This is what I have ended up with: [WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = 0 start_from = oldest renderXml = 1 # 4100 Error Log | 4104 Script Block whitelist = 4104,4100 blacklist = $xmlRegex= $\<EventID\>(?:4104|4100)\<\/EventID\>.*\<Data\sName='ScriptBlockText'\>[\S\s]*[C-Z]:\\Program(?:\sFiles|Data)(\s\(x86\))?\\(?:qualys|Nexthink|uniFLOW\sSmartClient)\\$ blacklist1 = $xmlRegex= $\<EventID\>(?:4104|4100)\<\/EventID\>.*\<Data\sName='ScriptBlockText'\>[\S\s]*[C-Z]:\\Windows\\ccm\\$ I've had to use [\S\s]* because the it's a PowerShell script which has carriage returns in. Any help would be massively appreciated. Thanks! 
Hi Splunkers,    I would like to pass the label value to the macro based on some condition, when a single value is selected, the value is correctly passed to macro and search is loading the results ... See more...
Hi Splunkers,    I would like to pass the label value to the macro based on some condition, when a single value is selected, the value is correctly passed to macro and search is loading the results but when the multiple values were selected the search is throwing error in macro. </input> <input type="multiselect" token="machine" searchWhenChanged="true"> <label>Machine type</label> <choice value="*">All</choice> <choice value="VDI">VDI</choice> <choice value="Industrial">Industrial</choice> <choice value="Standard">Standard</choice> <choice value="MacOS">MacOS</choice> <choice value="**">DMZ</choice> <default>*</default> <initialValue>*</initialValue> <delimiter>, </delimiter> <change> <condition match="$label$ == &quot;*DMZ*&quot;"> <set token="machine_type_dmz">"mcafee_DMZ=DMZ"</set> </condition> <condition match="$label$ != &quot;*DMZ*&quot;"> <unset token="machine_type_dmz"></unset> </condition> </change> </input> Thanks in Advance!
hi i try to use a table icon viz like below in the static folder i have put the "table_icons_rangemap.js" and the 'table_decorations.css" files I call these file in my xml like this : <dashbo... See more...
hi i try to use a table icon viz like below in the static folder i have put the "table_icons_rangemap.js" and the 'table_decorations.css" files I call these file in my xml like this : <dashboard version="1.1" script="table_icons_rangemap.js" stylesheet="table_decorations.css"> when I run the dashboard nothing happens  I just have severe, high instead an icon I use 9..1.0.1 Splunk Enterprise version is anybody cant help please?? thanks  
I have installed the latest splunk with Splunk enterprise security on it. I have worked with enterprise security before, and there were some filters available to filter incidents, now in this versio... See more...
I have installed the latest splunk with Splunk enterprise security on it. I have worked with enterprise security before, and there were some filters available to filter incidents, now in this version 7.3.0 there are no filters,    Is there anything wrong I am doing?  
Hello Splunk experts, I would like to know is there an API which can access all events which are generating in Splunk irrespective of search? Please suggest! Thank you in advance. Regards, Eshwar... See more...
Hello Splunk experts, I would like to know is there an API which can access all events which are generating in Splunk irrespective of search? Please suggest! Thank you in advance. Regards, Eshwar 
We currently use a User service account to bind with Splunk for LDAP authorization. Is there a way to use Active Directory Managed Service Accounts instead to reduce the overhead of maintaining pass... See more...
We currently use a User service account to bind with Splunk for LDAP authorization. Is there a way to use Active Directory Managed Service Accounts instead to reduce the overhead of maintaining passwords?
Hi all, I’m a Splunk beginner, I want to show and hide corresponding pie charts using check box. Can someone please guide me on how to achieve this? Any help or example queries would be greatly appre... See more...
Hi all, I’m a Splunk beginner, I want to show and hide corresponding pie charts using check box. Can someone please guide me on how to achieve this? Any help or example queries would be greatly appreciated. Thank You!
Does anyone know how to invoke a macro on Splunk Cloud using Rest API?  I am using following command but it always returns the output as "No matching fields exist." . I am able to run the same mac... See more...
Does anyone know how to invoke a macro on Splunk Cloud using Rest API?  I am using following command but it always returns the output as "No matching fields exist." . I am able to run the same macro directly from Splunk Search Page and it does return results. curl -k -u uswer:"password" -k https://company.splunkcloud.com:8089/services/search/v2/jobs/export -d exec_mode=oneshot -d search="\`lastLoginStatsByUserProd(userid,7)\`" -d output_mode=json
Hi, we had deployed cloud flare ta app on one of our sh,could anyone help me in fixing the logs parsing issue in splunk. App link splunkbase.splunk.com/app/5114 Thanks
Database logs  on a dashboard is not showing in splunk. Is there anything i can do to make it work