All Topics

Top

All Topics

Hi I have Firepower . and sends my logs with estreamer to Splunk. my problem : Splunk keeps logs for 70 days, and before 70 days I don't have any logs on Splunk. How do I keep my logs for 1 ye... See more...
Hi I have Firepower . and sends my logs with estreamer to Splunk. my problem : Splunk keeps logs for 70 days, and before 70 days I don't have any logs on Splunk. How do I keep my logs for 1 year on Splunk? I read some notes about maxTotalDataSizeMB and frozenTimePeriodInSecs , that I must change the value in indexs.conf, but I dont know where I change them (GUI or CLI)? I have many indexes.conf file whenever I search for it. I changed maxTotalDataSizeMB value of 500gig to 800gig in index.conf in path opt/splunk/etc/system/local but I don't find any parameter of frozenTimePeriodInSecs in that. Whenever I use df -h command in cli, it shows, used 498gig of 840gig disk .and this parameter change between 488 and 498 gig .   Can anyone help me?  
My sample events look like this , API logs   { location: Southeast Asia, properties: { backendMethod: GET errors: [ {some huge nested object}, {some huge nested objec... See more...
My sample events look like this , API logs   { location: Southeast Asia, properties: { backendMethod: GET errors: [ {some huge nested object}, {some huge nested object} ] } }   I want to search only the events with the "errors" field. If the API is successful, it does not have this "errors" field, and I don't want to search them. I have tried {baseSearch}  | where mvcount('properties.errors') > 0 , this return nothing {baseSearch}  | where mvcount("properties.errors") > 0 , returning even the events without the "errors" field {baseSearch}  | where isnotnull('properties.errors'), this return nothing {baseSearch}  | where isnotnull("properties.errors"),returning even the events without the "errors" field {baseSearch}  |  "properties.errors"=*.  ,  this return nothing I just need something simple like {baseSearch}  |  where exist(properties.errors), what is the most simple way
Can anyone please answer my questions : Are the Apps bundled by default in Splunk Cloud  upgraded at the same time as the Splunk Cloud instance is upgraded? Is it possible to prevent only Apps ... See more...
Can anyone please answer my questions : Are the Apps bundled by default in Splunk Cloud  upgraded at the same time as the Splunk Cloud instance is upgraded? Is it possible to prevent only Apps from being upgraded when the Splunk Cloud instance is upgraded?
Hello Splunkers ,   I want to know if we can create a timechart that will show only values when they change ..If  there is a change in field value Below is the timechart of events every min... See more...
Hello Splunkers ,   I want to know if we can create a timechart that will show only values when they change ..If  there is a change in field value Below is the timechart of events every minute 2022-12-12 20:41:00 IDLE 2022-12-12 20:40:00 ACTIVE 2022-12-12 20:39:00 FALSE 2022-12-12 20:38:00 FALSE 2022-12-12 20:37:00 FALSE 2022-12-12 20:36:00 TRUE 2022-12-12 20:35:00 TRUE 2022-12-12 20:34:00 TRUE 2022-12-12 20:33:00 TRUE 2022-12-12 20:31:00 NEGATIVE 2022-12-12 20:30:00 NEGATIVE 2022-12-12 20:29:00 NEGATIVE 2022-12-12 20:28:00 TRUE     I am looking for 2022-12-12 20:41:00 IDLE 2022-12-12 20:40:00 ACTIVE 2022-12-12 20:39:00 FALSE 2022-12-12 20:36:00 TRUE 2022-12-12 20:31:00 NEGATIVE 2022-12-12 20:28:00 TRUE     Thanks in advance!!
Hello dear community Could you please tell me how to find the reason. I am using HTTP Event Collector for Kubernetes. I have a configured data token coming into the index. But the team I'm h... See more...
Hello dear community Could you please tell me how to find the reason. I am using HTTP Event Collector for Kubernetes. I have a configured data token coming into the index. But the team I'm helping assures me that the data in the index gets lost and it's not all sent to Splunk. Maybe someone has already encountered such a problem and perhaps the limits for data transfer are to blame? but I don't know how to check it. I tried to do a search in _internal on the index for which there are complaints. But perhaps you have a better way. Also, an application is installed on my HF, where all the indices and tokens for them are registered there, I found a file with limits. How can I see how much data is coming in for a token and if the values ​​are stuck?
I was pretty sure back when we installed the system we limited a bunch of things, but now I cannot find the configuration anywhere.  In the typical /opt/splunk/etc/system/local on my Splunk Server I ... See more...
I was pretty sure back when we installed the system we limited a bunch of things, but now I cannot find the configuration anywhere.  In the typical /opt/splunk/etc/system/local on my Splunk Server I do not seem to have the inputs.conf file anymore?  Is there where I would limit my ingesting or do I do it on the Splunk Forwarder level? I am getting a lot of 4634 which is filling up my license quota.  I want to not log the Logon Type 3's.  Can I just create the file where it should be and start adding things there or how should I go about it?
I was trying to join a group of documents with a list of users that I had in a lookup, and the search return me results and always works fine, but the problem its when I try to table another of the f... See more...
I was trying to join a group of documents with a list of users that I had in a lookup, and the search return me results and always works fine, but the problem its when I try to table another of the fields of the lookup. The search that return me one result, doesn't return me nothing, and I cant understand why, cause the table doesn't should affect the results or the search.   Even I try to change the name or different things like list the lookup and search the documents, but simply doesnt work     this is when I try to table "Nombre", the search doesn't return results But this is exactly the same search and if I dont put the field "Nombre" , return me results       this is the lookup, and if I search the document that match in the join, I see that effectively have the field "Nombre"   In all the searches have a range of 7 days ago,  
Hi, I am new to splunk and have a requirement where i have to search the logs which are on 100 servers and i have to figure if each log may consist 2 statements as below ex: "started step1" "st... See more...
Hi, I am new to splunk and have a requirement where i have to search the logs which are on 100 servers and i have to figure if each log may consist 2 statements as below ex: "started step1" "started step2" source of log contains actual name of source where i can check the step (location of log /test/test1/ABC.log ,/test/test1/CDE.log,/test/test1/DEF.log) which i figured out based on rex command (using regex)  I want a table which contain for each log how many step are completed. like: ABC      started step1  started step2 CDE    started step1 DEF    started step1 started step2
Hi everyone. I just wanted to ask if there is a way  to install and manage Splunkbase apps in Splunk Cloud platform through Terraform code. I found this https://registry.terraform.io/providers/sp... See more...
Hi everyone. I just wanted to ask if there is a way  to install and manage Splunkbase apps in Splunk Cloud platform through Terraform code. I found this https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/apps_local , but for the name I assume Its only for Splunk Enterprise instances.
Hello - I have a requirement where there are 10 user and want to highlight if user is active or inactive. Based on the requirement I have gone with checkbox since there can be multiple users active a... See more...
Hello - I have a requirement where there are 10 user and want to highlight if user is active or inactive. Based on the requirement I have gone with checkbox since there can be multiple users active at same time. Condition -  If the user is active then checkbox should be checked. If the user is inactive then checkbox should be unchecked    We are validating via SPL query if user is active or inactive. Help me with JS Code where we can pass data into checkbox and toggle the checkbox value. i.e. 1 or 0 1 means active 0 means inactive    
Hi All,  I am unsure if this question has been answered already - I couldn't see it.  I have a time field in Splunk that I have created using:  | eval TimeStamp = strftime(_time, "%Y-%m-%d")  ... See more...
Hi All,  I am unsure if this question has been answered already - I couldn't see it.  I have a time field in Splunk that I have created using:  | eval TimeStamp = strftime(_time, "%Y-%m-%d")  In Splunk the format is correct, the problem I am having is when the search is exported to .csv the date format changes to "2022/12/04" from " 2022-12-04" when I need it to stay as the dashed version. The same thing happens when it runs via Splunk scheduler to create a .csv file.  Any ideas on why or how to stop this?  Thanks in advance, any help is appreciated!   
Hello Splunkers. I need help regarding a field with multiple values that must be separated. I have the following log in the following format: PostureReport Policy_Umbrella;Passed Policy_DLP;P... See more...
Hello Splunkers. I need help regarding a field with multiple values that must be separated. I have the following log in the following format: PostureReport Policy_Umbrella;Passed Policy_DLP;Passed Policy_Kaspersky;Passed Policy_Domain;Passed Policy_SCCM;Passed Police_Firewall_Windows;Failed Policy_Crownstrike;Passed I need to separate every Policy with your status. I tried to use mvindex, mvjoin and them separate the events, mvexpand, but none of these worked for me.   Thank you.    
Just installed splunk 9.0.1 on an Ubuntu server and received an influx of internal errors in splunkd.log saying the following: "message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_as... See more...
Just installed splunk 9.0.1 on an Ubuntu server and received an influx of internal errors in splunkd.log saying the following: "message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/splunk_assist/bin/uiassets_modular_input.py" splunk.LicenseRestriction: [HTTP 402] Current license does not allow the requested action" What exactly is the forwarder trying to do that is causing this error to show? I've also attempted to add an enterprise license but receive the same error.
These are the errors i am getting,  Create ssl certificate is also tried, it works fine, its not an ssl issue. can any one help us
If I add “interval” to my data input like this in inputs.conf, the modular input script will run every 300 sec as expected: [bhe-splunk-app] python.version = python3 disabled = 1 interval = 300 [b... See more...
If I add “interval” to my data input like this in inputs.conf, the modular input script will run every 300 sec as expected: [bhe-splunk-app] python.version = python3 disabled = 1 interval = 300 [bhe-splunk-app://input] index = bhe-splunk-app description = "Streams data from BHE instance" But the interval parameter does not show on the data input page in Splunk, so I can’t modify it from the Splunk UI. When I add the parameter to the inputs.conf.spec file like this: [bhe-splunk-app://<name>] *Streams data from BHE instance interval = <number> description = "Streams data from BHE instance" “interval” appear on the data input page, and I can modify it, but it is no longer working – the modular input script is no longer executed repeatedly on the interval. How do I add interval so that it can be modified from the data input page and still works?
Hi All, We have .Net based Application that need to be monitored. From couple of Call Graph we found that several slow transaction is from Class Method System.Threading.Monitor.ObjWait. But, i have ... See more...
Hi All, We have .Net based Application that need to be monitored. From couple of Call Graph we found that several slow transaction is from Class Method System.Threading.Monitor.ObjWait. But, i have no clue what we should do with this class method. Do you guys have any idea about this Class Method and how to troubleshoot and handle this ? Thanks, Ruli
I want to remove host(Default field) field from splunk cloud permanently .Since we don't need the host field in our search results.
Hi, I heard that it's frowned upon to run Splunk on the root so I created a Splunk User. I can't figure out why I can't run Splunk start, stop, and status without getting permission denied. I've cha... See more...
Hi, I heard that it's frowned upon to run Splunk on the root so I created a Splunk User. I can't figure out why I can't run Splunk start, stop, and status without getting permission denied. I've changed the ownership to for /opt/splunk to the user "Splunk" that I've created because I was told it was bad to run Splunk as root.  When working in my "Splunk" user account I continuously get this error whenever trying to config enable boot-start splunk. oot@cluster-master:/opt# ./splunk/bin/splunk enable boot-start -systemd-managed 1 -user splunk Warning: cannot create "/opt/splunk/var/log/splunk" Warning: cannot create "/opt/splunk/var/log/introspection" Warning: cannot create "/opt/splunk/var/log/watchdog" Systemd unit file installed at /etc/systemd/system/Splunkd.service. Configured as systemd managed service. root@cluster-master:/opt# su splunk splunk@cluster-master:/opt$ ./splunk/bin/splunk status Warning: cannot create "/opt/splunk/var/log/splunk" Warning: cannot create "/opt/splunk/var/log/introspection" Warning: cannot create "/opt/splunk/var/log/watchdog" Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied splunkd.pid file is unreadable. Pid file "/opt/splunk/var/run/splunk/splunkd.pid" unreadable.: Permission denied splunk@cluster-master:/opt$  
Hi guys, I needed to know that if is there any way to remove host field from the search results. Since we don't need the host field in our search results. We are using splunk cloud and we need to c... See more...
Hi guys, I needed to know that if is there any way to remove host field from the search results. Since we don't need the host field in our search results. We are using splunk cloud and we need to configure the splunk heavy forwarder to do so can someone please help with this
Hello Community, We are configuring TA-ms-teams-alert-action to let the customer publish Splunk alerts in their MS Teams channel. The alert config is as follows: When we try opening Webhook URL... See more...
Hello Community, We are configuring TA-ms-teams-alert-action to let the customer publish Splunk alerts in their MS Teams channel. The alert config is as follows: When we try opening Webhook URL in browser for testing it says:  Invalid webhook request - GET not supported While debugging TA-ms-teams-alert-action the logs say: 2022-12-12 13:17:05,698 DEBUG pid=106480 tid=MainThread file=cim_actions.py:message:292 | sendmodaction - signature="json data for final rest call:={ "@type": "MessageCard", "@context": "http://schema.org/extensions", "themeColor": "0076D7", "summary": "Alert", "sections": [ { "activityTitle": "Alert", "activitySubtitle": "", "activityImage": "https://myimage.png", "facts": [ { "name": "host", "value": "hostname1" }, { "name": "sourcetype", "value": "splunkd" } ], "markdown": false } ], "potentialAction": [ { "@type": "OpenUri", "name": "View in Splunk", "targets": [ { "os": "default", "uri": "https://splunk.mydomain.com/app/TA-ms-teams-alert-action/@go?sid=scheduler__username123_1233456" } ] } ] }" action_name="ms_teams_publish_to_channel" search_name="test_alert" sid="scheduler__2username123_1233456" rid="0" app="TA-ms-teams-alert-action" user="username123" action_mode="saved" Does anyone know how to troubleshoot this case? Best regards, Justyna