Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About soumyasaha25
soumyasaha25
Contributor
Member since:
09-16-2015
12-14-2022
Community Statistics
| Posts | 104 |
| Solutions | 5 |
| Karma Given | 0 |
| Karma Received | 14 |
| Member Since | 09-16-2015 |
Activity Feed
- Posted What is the capability needed to view Adaptive responses section in incident review page on ES? on Splunk Enterprise Security. 12-14-2022 03:00 AM
- Posted Re: large number of inputs maxing out HF on Knowledge Management. 07-01-2022 01:21 AM
- Posted How to stop large number of inputs maxing out HF? on Knowledge Management. 07-01-2022 12:46 AM
- Tagged How to stop large number of inputs maxing out HF? on Knowledge Management. 07-01-2022 12:46 AM
- Got Karma for Re: Phantom App for Splunk not respecting Global field mappings. 06-27-2022 09:44 AM
- Posted Re: Phantom App for Splunk not respecting Global field mappings on Splunk SOAR. 06-27-2022 01:47 AM
- Posted Phantom App for Splunk not respecting Global field mappings on Splunk SOAR. 02-03-2022 06:40 AM
- Posted delete top notable event from the "Top Notable Events" panel in ES Security Posture page on Splunk Enterprise Security. 11-29-2021 02:55 AM
- Posted Re: Search Scheduler Searches Skipped on Splunk Search. 11-11-2021 07:41 AM
- Posted Re: Splunk search query on Splunk Search. 11-11-2021 07:30 AM
- Got Karma for Re: Search Scheduler Searches Skipped. 11-10-2021 08:17 AM
- Posted Re: Search Scheduler Searches Skipped on Splunk Search. 11-10-2021 08:11 AM
- Posted Re: Table colouring by overall range on Dashboards & Visualizations. 11-10-2021 07:31 AM
- Posted Migrate ES correlation rules to a custom app on Splunk Enterprise Security. 09-15-2021 03:10 AM
- Posted REST API Modular Input add on stopped reading data on Getting Data In. 05-19-2021 12:58 AM
- Posted heavy forwarder of higher version than indexers on Splunk Enterprise. 03-18-2021 08:41 AM
- Got Karma for Re: No message was deserialized prior to calling the DispatchChannelSink. Parameter name: requestMsg. 01-08-2021 04:47 AM
- Posted Re: Splunk Indexers sending too much of data to search heads on Splunk Enterprise. 11-12-2020 12:31 AM
- Posted Splunk Indexers sending too much of data to search heads on Splunk Enterprise. 11-03-2020 04:34 AM
- Got Karma for Re: Email alert changes. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-19-2020
08:08 AM
1 Karma
Hi @celina11 ideally the web.conf file will be locate in /opt/splunk/etc/system/default/ unless you have made some custom changes to it and placed it in /opt/splunk/etc/system/local/.
i did once encounter similar issue in the past (when i had installed splunk as a test on my personal laptop), turned out instead of port 8000 splunk we was setup to use 8002. I would suggest you have a look at the we.conf file and check for the attribute
"httpport" also verify if attribute "startwebserver" is set to 1.
so if the httpport is set to port 8003 (assuming) you should try to access splunk web by hitting http://localhost:8003
Lastly, if you care making any changes to the web.conf file, make sure you create a new web.conf file in /opt/splunk/etc/system/local/ and make your changes there.
... View more
01-17-2020
07:37 AM
1 Karma
ideally after installing the universal forwarder you need to configure it via the splunk config files, mainly inputs.conf and outputs.conf
refer this page to know more.
... View more
01-17-2020
07:37 AM
this got resolved, looks like the config file was missing some attributes in userBaseDN. after adding them, it works.
... View more
01-17-2020
02:53 AM
Yes, my bad i forgot to mention it in the post. i did check the developer tools, network tab. If i click once and wait (patiently), it eventually throws an "Invalid username or password" error although i did key in the correct username and password, and eventually after multiple clicks i am able to login.
I also had done a test where i had clicked on login once, noted down the time and waited for it to fail/login.
example like this below
Trial 1
Time Status
13:40 Fail
13:43 Fail
13:50 Fail
13:53 Success
Also, i did notice that my groupBaseDN does not have a CN and have multiple OUs (when compared to another working splunk cluster which has lesser OUs and a CN defined in groupBaseDN), do you think that might be the issue?
... View more
01-16-2020
07:01 AM
i have configred my splunk deployment (hosted on AWS instances) to use LDAP authentication over ssl, but whenever i try to login using my ldap credentials, i have to click on the login buttom multiple times to successfully login, when i use my local authentication credentials it works fine. Below is a snippet of my authentication.conf configs (with sensitive info masked)
[My_splunk_strategy_name]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=<service account>,OU=<OU Name 1>,OU=<OU Name 2>,OU=<OU Name 3>,DC=<DC Name 1>,DC=<DC Name 2>
bindDNpassword = my_password
charset = utf8
emailAttribute = mail
groupBaseDN = OU=<OU Name 1>,OU=<OU Name 2>,OU=<OU Name 3>,OU=<OU Name 4>,DC=<DC Name 1>,DC=<DC Name 2>;OU=<Another_OU Name 1>,OU=<Another_OU Name 2>,OU=<Another_OU Name 3>,OU=<Another_OU Name 4>,DC=<DC Name 1>,DC=<DC Name 2>
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap_hostname
nestedGroups = 0
network_timeout = 29
port = 636
realNameAttribute = cn
sizelimit = 2000
timelimit = 28
userBaseDN = DC=<DC Name 1>,DC=<DC Name 2>
userNameAttribute = samaccountname
pagelimit = -1
i have another splunk instance which is using similar configs and authentication works perfectly there (no need to click multiple times). The differances there are
1. there we use ldap and not ldaps
2. there the groupBaseDN has lesser number of OUs
So i tried on my current setup with LDAP (port 389 instead of 636 and SSLEnabled = 0 ) but still faced the same issue.
Am i missing anything here? any suggestions on how to resolve this issue.
Note: The security groups and NACLs rules are not an issue as i have already verified with AWS support on that.
... View more
01-16-2020
03:17 AM
1 Karma
have a look in index=_internal source=*python.log* there you can have a look at the subject field that shows the alert name and the recipients filed shows the list of email ids.
you can compare by dunning the search over different times and see the difference in the recipients to find out which email ids were changed.
... View more
01-12-2020
05:58 AM
I don't believe there is a limit on the no of indexes as such. If you worry about the performance it all depends on how your data is coming and how you write your searches. Although, as some of the users have reported you start to run into performance issues if the number of indexes are more than 100K (which quite a huge number and is hardly reached).
regarding your query on where to configure addons/apps - usually, it is mentioned in the app/addon documentation as to where it needs to be installed based on what features/activities are performed by the app/add on.
For example: refer this page for the AWS add on.
... View more
01-10-2020
07:47 AM
i had seen such errors in the past and this suggestion had helped me resolve the issue.
... View more
01-10-2020
05:23 AM
as per this doc the splunk-launch.conf file should be in "$SPLUNK_HOME/etc/ " directory.
if you want to change the location of SPLUNK_DB change it in splunk-launch.conf
NOTE:
This conf file is different from most splunk conf files. There is only one in the whole system, located at $SPLUNK_HOME/etc/splunk-launch.conf; further, there are no stanzas, explicit or implicit. Finally, any splunk-launch.conf files in etc/apps/... or etc/users/... will be ignored.
... View more
01-10-2020
04:48 AM
Yes, we use multiple indexes (one per account per data type).
example: for account xx we have
1. name_xx_vpcflow
2. name_xx_linux
Also, If your questions are resolved, please make sure you accept the answer to close this question.
Cheers
... View more
01-09-2020
02:54 PM
we do have multiple AWS accounts logging to splunk with considerably good reliability, you just need to get your configuration right.
For AWS a bulk of the data is ingested from CloudWatch log groups using kinesis streams, the differentiating factor in this case is how you decide to get the data into Splunk i.e Pull based or push based approach. the pull based approach (using AWS add 0n) although relatively easy to setup the push based approach with AWS kinesis firehose and splunk HEC is more reliable.
Again, everything depends on your setup, what is the volume of data that you want to onboard, what use cases you want to implement, what AWS services you can implement/use, what is your expectation on data delivery and its reliability, etc.
Once you have these figured out you can decide on which approach you want to use to onboard data optimally.
Refer this to get an overvie on how to onboard Cloudwatch logs
Also, there are a few prdefined Lambda blueprints that you can start out with and customize based on your requirements, see this
Hope this helps. Happy Splunking!!
... View more
01-09-2020
02:26 PM
you can create custom server classes and push your configs one at a time (individually for each server class).
... View more
01-09-2020
07:07 AM
you can try something like this:
index=_internal earliest=-3d latest=-2d
| stats count as previous_count
| appendcols
[ search index=_internal earliest=-2d latest=-1d
| stats count as current_count]
| eval Increase= (current_count-previous_count)/previous_count
| eval inc_perc=Increase*100
| table previous_count current_count inc_perc
Make sure you modify the search with your logic to include the filename and size(bytes) as in your existing logic.
... View more
01-09-2020
06:03 AM
@productit If your questions are resolved, can you please accept this as the answer.
... View more
01-08-2020
06:09 AM
1 Karma
you can install and configure the TA for service-now. refer here for the documentation on how to do it.
you can download the Add on from the splunkbase portal here
... View more
01-08-2020
05:32 AM
HI @bhavin_crest, If your questions are resolved, can you please accept this as the answer.
... View more
01-06-2020
06:49 AM
2 Karma
you can perform a raft clean on all the cluster member and then bootstrap one as the captain
Check this link on how to do it.
... View more
01-02-2020
07:22 AM
if my understanding of your question is right, you want to extract new fields from an already existing field
if so you can try this:
lets say your original field is "original_field" and value is "i want to extract field1, field2, field3, field4 from my original_field"
you can use something like the below query
<your search>|rex field=original_field ".*?extract\s(?<new_field1>.*?)\,\s(?<new_field2>.*?)\,\s(?<new_field3>.*?)\,\s(?"<new_field4>.*?)\,
... View more
01-02-2020
03:21 AM
have a look here, splunk has round, ceil, floor functions that you can use along with eval command to perform rounding.
eg: ...| eval n=ceil(1.9)
returns n=2
... View more
01-01-2020
01:57 PM
Hi @segevgal87, although i have not tested it myself, based on the answer on this post it might be due to LetsEncrypt.
Could you try using an AWS ACM cert ? Do you get the same error with ACM certs.
... View more
01-01-2020
12:47 PM
to add to the above. you can have a look at this link where its explained in detail.
... View more
01-01-2020
12:18 PM
Hi @shobhna744, you can install the splunk TA for Unix and Linux from here , this would automatically parse your data and you should be able to see the cpu sourcetype in case you dont get the right sourcetype even after installing the TA you might have to check the props and transforms in the TA to figure out if they correctly map to your dataset.
you can have a look at the sourcetypes that ship along with the TA here.
Alternatively, you can define your own custom props and transforms rules to parse the data and assign sourcetype=cpu when the incoming data matches your conditions.
... View more
07-16-2019
02:18 AM
can you please specify what editing was required to fix it
... View more
07-15-2019
05:37 AM
i am facing the same issue
... View more
05-01-2019
03:41 AM
it would be great if you can mark this as answered, if i was able to help with your question.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-14-2022
03:06 AM
|
