×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
xpac
SplunkTrust
Member since: ‎04-29-2018
‎01-18-2024
Community Statistics
Posts 467
Solutions 70
Karma Given 143
Karma Received 146
Member Since ‎04-29-2018
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Backing up a Distributed Splunk Installation

by SplunkTrust in Deployment Architecture
‎05-22-2018 12:55 AM
‎05-22-2018 12:55 AM
Hey, just a short advice: There can be multiple deployment servers. You would however need to put them behind some kind of loadbalancer, and also make to sync their config, but besides that, it's possible. I don't have time and enough knowledge to answer all your other questions, but I'll leave you an upvote, because you wrote a very precise and well done question, thanks! ... View more

Re: Installation with gMSA/MSA

by SplunkTrust in Installation
‎05-22-2018 12:50 AM
‎05-22-2018 12:50 AM
Do I get this right? You want to install Splunk UF with a certain service account, but without using that account's password? Also, what is a MSA? ... View more

Re: How to use Splunk to track the data by CMDB

by SplunkTrust in Dashboards & Visualizations
‎05-22-2018 12:47 AM
‎05-22-2018 12:47 AM
You can add the CMDB data as a lookup in Splunk, either as CSV, or via a DB lookup. Besides that, your question is very broad and generic, so it's pretty hard to get any idea of what you have, what you want to do, and how it could be done. Also,you might want to use the word "please" in future requests. ... View more

Re: How to get total comma separated values in spl...

by SplunkTrust in Getting Data In
‎05-22-2018 12:44 AM
‎05-22-2018 12:44 AM
For the example event you showed us - what would be your desired result? ... View more

Re: Need some more clarification on _meta value wh...

by SplunkTrust in Getting Data In
‎05-22-2018 12:43 AM
‎05-22-2018 12:43 AM
You CAN add the fields.conf on the HF, but it is only required for instances that are starting searches. So, unless your HF is used as a SH, no need for fields.conf there. It is required on every search head! ... View more

Re: How can i know what is the web ui address of n...

by SplunkTrust in Splunk Enterprise
‎05-22-2018 12:42 AM
1 Karma
‎05-22-2018 12:42 AM
1 Karma
By default it should be available on all IP addresses. You can try netstat -tulpan | grep 8000 to see where Splunk is actually listening. ... View more

Re: Deployment server : App creation error

by SplunkTrust in Deployment Architecture
‎05-22-2018 12:31 AM
‎05-22-2018 12:31 AM
Did you try to hover your cursor over the red triangle or click it? ... View more

Re: Splunk IT Service Intelligence 製品のリリース日について

by SplunkTrust in Splunk ITSI
‎05-22-2018 12:14 AM
‎05-22-2018 12:14 AM
I don't know if you answered your own question, but you might get more/better replies when asking in English 😉 ... View more

Re: Need some more clarification on _meta value wh...

by SplunkTrust in Getting Data In
‎05-22-2018 12:13 AM
‎05-22-2018 12:13 AM
Hey, I don't see any issues, besides the increasing disk space consumption. You can, but it won't have the same (necessary) effect You need to tell the other instances that a field with that name was extracted at index time. If you don't do that, you'll get strange behavior when trying to search with it. ... View more

Re: Cert issue with TA-Illumio

by SplunkTrust in Security
‎05-21-2018 07:53 AM
‎05-21-2018 07:53 AM
Yeah, that is basically local admin, and should be fine, unless you did something really weird. Did you set the path to those files in the input settings? Maybe on Windows you need to do something strange, like doubling the \ s, or replacing \ with / - nothing I can actually point you to, but all of those have happened to me in the past, so it's worth to give them a try. ... View more

Re: routing assistance config - HEC to multiple en...

by SplunkTrust in Deployment Architecture
‎05-21-2018 06:20 AM
‎05-21-2018 06:20 AM
So - you want to send the HEC data to two different destinations? You sent ALL data from that instance to a certain index tier, by default, and for some data, want to also send that data to a second destination? ... View more

Re: Why am I unable to forward data from Universal...

by SplunkTrust in Getting Data In
‎05-21-2018 05:47 AM
‎05-21-2018 05:47 AM
The timechart visualization should also show you the time range in which those events are, that might give you a hint what went wrong (e.g. wrong timestamp recognition = events in the future). ... View more

Re: How do I export my dashboard onto Python shell...

by SplunkTrust in Splunk Dev
‎05-20-2018 03:36 PM
‎05-20-2018 03:36 PM
Do you want to export the actual graphical representation, like a screenshot? The HTML of the dashboard? Only the actual values/content? ... View more

Re: Why am I unable to forward data from Universal...

by SplunkTrust in Getting Data In
‎05-19-2018 03:21 PM
‎05-19-2018 03:21 PM
You could try this: | tstats prestats=t count where sourcetype=waratek AND index=* by _time index | timechart count by index Set the search range to include events from 10 years ago until 10 years in the future, just in case some strange timestamp recognition happens. ... View more

Re: Cert issue with TA-Illumio

by SplunkTrust in Security
‎05-19-2018 03:17 PM
‎05-19-2018 03:17 PM
Did you try to upload the Root CA certificate somewhere where Splunk has read permissions and then set this parameter in the input config? Certificate Path When a self-signed SSL certificate is used with the PCE, its SSL Certificate needs to be uploaded onto Splunk Server and the full path to directory containing the certificate should be provided here. ... View more

Re: splunk handling csv file with each line have d...

by SplunkTrust in Getting Data In
‎05-19-2018 03:13 PM
‎05-19-2018 03:13 PM
Could you show us a few lines of example data? Although I'm pretty sure what you're trying to achieve will either be not possible or pretty complicated, but let's see. ... View more

Re: How to create custom relative time periods?

by SplunkTrust in Splunk Search
‎05-19-2018 08:42 AM
‎05-19-2018 08:42 AM
Yeah, that sound's like marketing 😉 ... View more

Re: Switching from ELK to Splunk: Logstash data t...

by SplunkTrust in Splunk Enterprise
‎05-19-2018 08:41 AM
‎05-19-2018 08:41 AM
Could you please show a broader example of your data (especially one event where multiple events are treated as one), and the props/transforms that relate to that sourcetype? ... View more

Re: inputs.conf configuration for key value pair

by SplunkTrust in Getting Data In
‎05-18-2018 12:46 AM
‎05-18-2018 12:46 AM
As an alternative - the answer from @richgalloway creates index-time extractions - this would be a working config for search-time extractions: props.conf [yoursourcetype] REPORT-multifields = yoursourcetype-multifields transforms.conf [yoursourcetype-multifields] REGEX = \s*([^:]+):(.*)[\r\n] FORMAT = $1::$2 I shamelessly copied the regex from @somesoni2's comment 😉 Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Re: How do you restart splunk?

by SplunkTrust in Deployment Architecture
‎05-18-2018 12:37 AM
5 Karma
‎05-18-2018 12:37 AM
5 Karma
Alternative option, via the Web GUI: Settings -> Server controls Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Re: Convert time to the specific City Timezone

by SplunkTrust in Getting Data In
‎05-18-2018 12:33 AM
‎05-18-2018 12:33 AM
Do you have that information (City that user loggen in from) available in your data? It would be a lot easier for us if you could post some example data. 🙂 ... View more

Re: Remove { } from json file before indexing

by SplunkTrust in Getting Data In
‎05-18-2018 12:20 AM
‎05-18-2018 12:20 AM
Hey, you're only missing a single char: s/^{//g 😉 Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Re: Can we use REST API instead of Universal Forwa...

by SplunkTrust in Getting Data In
‎05-18-2018 12:14 AM
‎05-18-2018 12:14 AM
Hey, the best way to do this is the Splunk HTTP Event Collector. It's a HTTP(S) API, that you can send your events to. There is a lot to be considered for this, but the documents explain it pretty well. Check this: Set up and use HTTP Event Collector in Splunk Web Introduction to Splunk HTTP Event Collector Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂 ... View more

Re: how to index a json file ?

by SplunkTrust in Getting Data In
‎05-16-2018 09:55 PM
‎05-16-2018 09:55 PM
I guess he/she wants it to be separate events, but the whole JSON is indexed as a single event. Right? ... View more

Re: Installed 3rd party cert yet I'm still getting...

by SplunkTrust in Security
‎05-16-2018 01:32 PM
‎05-16-2018 01:32 PM
That's a pretty useless error message. Please try using Chrome, visit the site, and when it shows you the security warning, press F12. It should open a window that will have a lot more details in it, like this: ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-18-2024 07:01 AM
Karma from
Karma given to