Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About riqbal47010
riqbal47010
Path Finder
Member since:
01-27-2019
07-26-2022
Community Statistics
| Posts | 103 |
| Solutions | 1 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 01-27-2019 |
Activity Feed
- Posted Lookup filter based on time on Splunk Search. 12-09-2020 07:44 AM
- Posted max successfull VPN users per day by monthly. on Splunk Search. 06-18-2020 08:06 AM
- Karma Re: Tokens not propagating values for niketn. 06-05-2020 12:51 AM
- Got Karma for Re: timechart for post for multiple web sites. 06-05-2020 12:50 AM
- Karma Re: HP Service Manager app for thambisetty. 06-05-2020 12:46 AM
- Posted Re: Detect /list Active VPN sessions on Security. 04-27-2020 01:50 AM
- Posted Detect /list Active VPN sessions on Security. 04-24-2020 11:04 AM
- Posted Re: Geostats and rangemap on Splunk Search. 04-23-2020 04:44 AM
- Posted TOP 10 values on Splunk Search. 04-18-2020 04:24 AM
- Posted Re: could not use strptime to parse timestamp on Getting Data In. 04-17-2020 05:36 AM
- Posted Re: could not use strptime to parse timestamp on Getting Data In. 04-17-2020 04:10 AM
- Posted could not use strptime to parse timestamp on Getting Data In. 04-16-2020 07:01 AM
- Posted CEF events Issue - cefKeys and cefCustom on All Apps and Add-ons. 04-07-2020 06:47 AM
- Posted Re: CEF parsing is not working on Splunk Enterprise Security. 04-04-2020 02:47 AM
- Posted CEF parsing is not working on Splunk Enterprise Security. 04-01-2020 12:28 PM
- Tagged CEF parsing is not working on Splunk Enterprise Security. 04-01-2020 12:28 PM
- Posted CEF Field Parsing on Splunk Search. 04-01-2020 02:58 AM
- Tagged CEF Field Parsing on Splunk Search. 04-01-2020 02:58 AM
- Posted CEF parsing on under Splunk Enterprie Security App on Splunk Enterprise Security. 03-29-2020 02:26 AM
- Tagged CEF parsing on under Splunk Enterprie Security App on Splunk Enterprise Security. 03-29-2020 02:26 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-31-2019
12:57 AM
OR in simple can we achieve beow:
if (cs_host = www.abc.com OR cs_host=www.xyz.com OR cs_host="www.*"), External, internal)
... View more
10-30-2019
11:04 PM
Hi Splunk Ninjas,
We have different web portals for different purposes. I categorize them as internal and external web portal.
Now under the cs_host field I have different values but both type of values are pointing as one web portal
for example.
cs_host=www.abc.com dvc/host= 1.2.3.4(External)
cs_host=abc.com dvc/host= 1.2.3.4(Internal)
cs_host=abc dvc/host= 1.2.3.4(Internal)
cs_host=www.xyz.com dvc/host= 1.2.3.4(External)
cs_host=xyz.com dvc/host= 1.2.3.4(Internal)
cs_host=xyz dvc/host= 1.2.3.4(External)
The idea comes in my mind to separate them based on either internal OR external
so if the cs_host=www.abc.com OR cs_host=www.xyz.com
then there should be another field name web_portal=external
and if cs_host=abc.com|abc OR cs_host=xyz|xyz.com
the cs_host values should become abc|xyz.
... View more
10-27-2019
10:12 PM
Hi
Although it was not the TLS issue. but a issue with windows TA.
Everything is connected and working fine. however problem identified and solved.
actually we have two TA's for same technology. for example, windows. one without inputs.conf and other with inputs.conf. Universal forwarded upgrade was successful. I also update the native windows TA with latest version. 6.0. and in my case it has inputs.conf as well with by default disabled everything. So I believe it was taking the precendance over the cutom windows TA( which ended as "_inputs". after deleting local/inputs.con. I start receiving the logs.
thanks woodcock for your kind reply.
Regards,
Rashid
... View more
10-27-2019
10:10 PM
Hi Ciao,
Everything is connected and working fine. however problem identified and solved.
actually we have two TA's for same technology. for example, windows. one without inputs.conf and other with inputs.conf. Upgrade was successful. I also update the native windows TA with latest version. 6.0. and in my case it has inputs.conf as well with by default disabled everything. So I believe it was taking the precendance over the cutom windows TA( which ended as "_inputs". after deleting local/inputs.con. I start receiving the logs.
and thanks for replying a stupid question by .... person.. 🙂
... View more
10-27-2019
10:05 PM
Yes Forwarder is running. However problem get solved.
... View more
10-27-2019
03:19 AM
After upgrading universal fowarder from 7.1.2 to 7.3.1, the universal forwardre stop sending logs to splunk.
... View more
10-27-2019
12:51 AM
After upgrade from 7.1.2 to 7.3.2. I am seeing below error.
INFO loader - SAML cert db registration with KVStore failed
... View more
10-17-2019
02:16 AM
this below post answer seems answering my question.
https://answers.splunk.com/answers/771891/splunk-test-environment.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
althrough yours as well.
... View more
10-17-2019
01:32 AM
I have single instance test environment. How can I move one index data from productio to test environment for testing purpose.
... View more
- Tags:
- splunk-enterprise
10-16-2019
06:18 AM
I have one lookup file. Now I want to see the list of servers that are in the list but not in AV index.
... View more
- Tags:
- splunk-enterprise
09-30-2019
04:13 AM
Hi everyone,
to collect auditd logs from /var/log/audit.log, I just add TA-auditd and removed standard unix TA. the default TA-auditd does not have any inputs.conf file.
there are no logs i check with
index=* sourcetype= linux:audit
whereas I can see in _internal index that events are coming.
... View more
09-29-2019
11:58 PM
Dear All,
how can I know that if someone uninstall anti virus solution on windows server or client. can we get that logs with windows TA ?
... View more
- Tags:
- splunk-enterprise
09-11-2019
04:48 AM
hi diogofgm,
we have different indexes.conf for each technology index. Now the two indexers have 96% utilized disk space remaining others are 75 to 80 percent utilized. how can we immediately solve this issue.
Further to that, If i reduce the retention period to 6 months from 9 months. will it fix the disk space issue. primarily we need 6 months data online.
... View more
09-11-2019
04:45 AM
Hi,
after installing the package I copied the server.conf file from other indexer and just update the name.
after that i replace the splunk.secret key.
and we are back in business.
... View more
09-11-2019
12:35 AM
we have 6 indexers in indexer cluster setup. one of the indexer server, the splunk mount point goes corrupt due to disk space issue. now we mount the new point and install the splunk package on that server . Now how can we join him back to the Indexer cluster.
Hostname and IP address is same.
... View more
- Tags:
- splunk-enterprise
09-03-2019
11:53 PM
Whenever I a select any app on splunk instance it open the Linux/Unix app setup page.
... View more
09-01-2019
03:51 AM
thanks for the reply, interestingly after removing excessive buckets I got enough disk space.
we have nine months retention policy after that they moved to Frozen NFS share.
thanks for reply.
... View more
09-01-2019
12:42 AM
We have multisite Indexer cluster setup.
one of the indexer server disk space get full and become offline whereas otehr servers disk space is almost 90 percent.
how can we fix this issue.
... View more
- Tags:
- splunk-enterprise
08-31-2019
11:18 PM
all of our indexers server disk space is almost 90% full and one of the indexer server disk is full(100%) so he get stopped.
So the first thing is to determine that why only specific server disk space get full(100%) and others are at 90% .
secondly how can we solve this issue.
... View more
- Tags:
- splunk-enterprise
08-29-2019
03:01 AM
under correlation search can we add certain variables like $src$ | $dest$ into search name:
actually we are sending these notables to ticketing system through email. the in between machanism automatically opens the ticket for SOC if the email sent to certain email id.
... View more
07-17-2019
10:43 PM
I have distributed environment and I configure the HEC on one of the heavy forwarder.
i already create one app on deployment server and enable the following parameters in
inputs.conf file.
[http]
useDeploymentServer = 1
After that I login to Deployment server and generate the token. that token parameters are also reflecting in /opt/splunk/etc/deployment_apps/splunk_httpinput/local/inputs.conf
My goal is to receive HTTP event on Heavy forwarder and forward them to Indexer cluster.
so my question is :
1- I already created on app named splunk_httpinput on CM with indexes.conf file but it is not pushig. So what is missing part here.
2- its mandatory to created outputs.conf file in splunk_httinput app or my default outputs.conf app will handle this part.
Hope this clears the road .
... View more
07-16-2019
11:36 PM
I want to configure HTTP Event collector on one of the Heavy forwarder.
initially i create the app with named splunk_httpinput
inputs.conf
[http]
useDeploymentServer = 1
index = hec
for outputs.conf , I will use the standard app to forward logs to indexer cluster.
... View more
- Tags:
- splunk-enterprise
07-03-2019
04:15 AM
Its a bit complicated query but let me explain.
One device=a start sending logs after 3 months. befor 3 months there was logs and LAST LOG/EVENT RECEIVED YESTERDAY.
So i want to see earliest, latest and difference between noew() and latest event.
dvc/host latestTime earliestTime daydiff
1 07/02/2019 09:40:55 04/04/2019 00:01:13 01/02/1970 07:27:59
below is my query:
index=xxx
| stats latest(_time) as latestTime, earliest(_time) as earliestTime by dvc
| convert ctime(latestTime) as latestTime, ctime(earliestTime) as earliestTime
and when I add below:
index=xxx
| stats latest(_time) as latestTime, earliest(_time) as earliestTime by dvc
| eval daydiff = (now()-latestTime)
| convert ctime(latestTime) as latestTime, ctime(earliestTime) as earliestTime, ctime(daydiff)
the daydiff field show the result = 01/01/1970
... View more
- Tags:
- splunk-enterprise
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-26-2022
05:26 AM
|
