About gcusello

gcusello

Hi @karthi2809 , let me understand: the issue is that your search runs if you choose a value but it doesn't run if you choose the "All" value ("*"), is it correct? I don't ee big problema in your search, I'd only use search instead whene in the last condition and I'd add parenthesis in the main search: index=mulesoft environment=PRD ($BankApp$ OR priority IN ("ERROR", "WARN")) | stats values(*) AS * BY correlationId | rename content.InterfaceName AS InterfaceName content.FileList{} AS FileList content.Filename as FileName content.ErrorMsg as ErrorMsg | eval Status=case(priority="ERROR","ERROR", priority="WARN","WARN", priority!="ERROR","SUCCESS") | fields Status InterfaceName applicationName FileList FileName correlationId ErrorMsg message | search $interface$ FileList=* | sort -timestamp Ciao. Giuseppe

gcusello

Hi @karthi2809, this is a new question, even if on the same topic, it's always better to open a new question to have a quicker and probably better answer. Anyway, at first don't use the search command after the main search because your search will be slower Then, I see again a different field name than the one in the input, which is the correct one? could you share yur search with the tokens? Ciao. Giuseppe

gcusello

Hi @karthi2809, there's a strange thing in your inputs: in the search you have the field APPLICATION_NAME, but in the fieldForLabel you have a different field ApplicationName and in prefix another one applicationName. same thing in the second input. What's the field name? you must use the same in all the above tags. You can have different values between FieldForLabel and FieldForvalue if you have two fields in the search, but you have only one. So what's the correct one? Supponing that the correct one is the one in uppercase, please try this: <input type="dropdown" token="BankApp" searchWhenChanged="true" depends="$BankDropDown$"> <label>ApplicationName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | dedup APPLICATION_NAME | sort APPLICATION_NAME | table APPLICATION_NAME </query> </search> <fieldForLabel>APPLICATION_NAME</fieldForLabel> <fieldForValue>APPLICATION_NAME</fieldForValue> <default>*</default> <prefix>APPLICATION_NAME="</prefix> <suffix>"</suffix> </input> <input type="dropdown" token="interface" searchWhenChanged="true" depends="$BankDropDown$"> <label>InterfaceName</label> <choice value="*">All</choice> <search> <query> | inputlookup BankIntegration.csv | search $BankApp$ | sort INTERFACE_NAME | table INTERFACE_NAME </query> </search> <fieldForLabel>INTERFACE_NAME</fieldForLabel> <fieldForValue>INTERFACE_NAME</fieldForValue> <default>*</default> <prefix>INTERFACE_NAME="</prefix> <suffix>"</suffix> </input> Then, does your inputs run withouth the depends condition? Ciao. Giuseppe

gcusello

Hi @selvam_sekar , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉

gcusello

Hi @aasserhifni, did you tried to sop Splunk on the SH, delete the folder and then restart Splunk? did you checked if you have deployment tools as Ansible GPO or a Splunk Deployment Server? Ciao. Giuseppe

gcusello

Hi @aasserhifni , if you have a stand-alone Search Head, you have only to remove the folder in $SPLUNK_HOME/etc/apps and restart Splunk. Are you sure that your Search Head isn't managed by an external deployment sistem (e.g. Ansible or GPO) or a Splunk Deployment Server? Ciao. Giuseppe

gcusello

Hi @Keerthi, I suppose that you have a script that launches the API, manually launch again your script, I don't know how your script runs, but eventually modifying it to take also the old data, you shuld be able to re-run it. Ciao. Giuseppe

gcusello

Hi @aasserhifni, I suppose that you have a Search Head Cluster, did you removed the app from the list in the $SPUNK_HOME/etc/shcluster-apps/apps folder in the SH-Deployer and then did you run the deploy command on the Deployer? Ciao. Giuseppe

gcusello

Hi @aasserhifni, you can manually remove an app from a stand alone Search Head, removing the folder and restarting Splunk. If you have a SH-Cluster, you have to remove it from the Deployer ($SPLUNK_HOME/etc/shcluster-apps/apps folder) and then push the apps. Ciao. Giuseppe

gcusello

Hi try using kvform (https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Kvform ) Ciao. Giuseppe

gcusello

Hi @slider8p2023 , good for you, see next time! I still don't use Dashboard Studio because it doesn't still have all the features I use of the Classical Dashboard! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉

gcusello

Hi @masakazu, in the deploymentclient.conf file of the Cluster Master, you have to add: repositoryLocation = $SPLUNK_HOME/etc/managed-apps in this way the deployment Server, only on the Cluster Master, doesn't deploy the apps into apps but in managed-apps folder. Then you have to push it by GUI (I'm not sure that's possible to automate it by DS). Put attention that this deploymentclient.conf must be different thant the one on the other clients. Ciao. Giuseppe

gcusello

Hi @slider8p2023, you could try to clone it going in https://<your_host>/en-US/app/SplunkEnterpriseSecuritySuite/dashboards and cloning the dashboard, but I'm not sure that it's possible to schedule it. Otherwise, you should create a custom clone of the Security Posture dashboard using the searches that you can extract from the original dashboard and then schedule it to send by eMail as a pdf. Ciao. Giuseppe

gcusello

Hi @jessieb_83 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors 😉

gcusello

Hi @keneyfofe, your error is really strange, have you the Settings menu? If yes, go in [Settings > Liensing > Add new License]. Ciao. Giuseppe

gcusello

Hi @dhruvisha2345, if you created the new app by GUI, you have only to upload a file and Splunk automaticall add the appserver/static folder. If you created the app by SH, you have to manually create it. Ciao. Giuseppe

gcusello

Hi @shakti , clear the cache and if that doesn't work open a case with Splunk Support Ciao. Giuseppe

gcusello

Hi @sphiwee, as I said, I don't know very well Powershell, try it. Ciao. Giuseppe

gcusello

Hi @pgabo66 , you have to create a new field associating it to your sourcetype and using this rule: ^(?:https?:\/\/)?(?:www[0-9]*\.)?(?)(?<url_domain>[^\n:\/]+) in event.url in the field extraction. Ciao. Giuseppe

gcusello

Hi @mahesh27 As @bowesmana said, this is a classic proving the negative issue and you can find thousands of answers in Community. In this case you have two solutions: if you have a list of hosts to monitor to put in a lookup (called e.g. perimeter.csv with at least one column called host), you could run something like this | tstats count WHERE index=app-logs sourcetype=app-data source=*app.logs* host IN (appdatajs01, appdatajs02, appdatajs03, appdatajs04) BY host | append [ | inputlookup perimeter.csv | eval count=0 | fields host count ] | stats sum(count) AS total by host | where total<100 If you don't have a lookup or you don't want to manage it, you could run something like this: | tstats count latest(_time) AS _time WHERE index=app-logs sourcetype=app-data source=*app.logs* host IN (appdatajs01, appdatajs02, appdatajs03, appdatajs04) earliest=-30d@d latest=now BY host | where _time<now()-3600 In this way, you have the hosts that sent logs in the last 30 days but not in the last hour (you eventually can modify the time periods). in addition the command | bin span=1m _time has no sense because you don't use time in your stats. Ciao. Giuseppe

gcusello

Hi @sphiwee , if you don't know very well Powershell, why do you want to use it? You can use a simple batch script or some other tool (as Ansible) or Windows GPO (surely you have a Domain Controller. Anyway, you could see this link https://docs.splunk.com/Documentation/Forwarder/9.0.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller?_gl=1*1w7f8cx*_ga*ODAyODQ0Njg5LjE3MTIyMjE5NTg.*_ga_GS7YF8S63Y*MTcxMzI0MzQxMS40My4xLjE3MTMyNDM3MjIuNDguMC4w*_ga_5EPM2P39FV*MTcxMzI0MzM5Ni40Ny4xLjE3MTMyNDM4NzAuMC4wLjkyMTAxMDI3NQ..&_ga=2.74864917.64127089.1712221958-802844689.1712221958#Install_a_Windows_universal_forwarder_from_the_command_line for detailed instructions or the solution from this Community Champio: https://community.splunk.com/t5/Getting-Data-In/Powershell-unattended-installation/m-p/81069 Ciao. Giuseppe

gcusello

Hi @LuanNguyen , yes, yupu can use an HF as intermediate Forwarder between UFs and IDXs. The number is relevant only to correctly have a dimensioning of the reference hardware. At first I hint to engage a Splunk Architect for this job. Then I hint to avoid a single point of failure using at least two or three HFs. Then there isn't a reference hardware for the HF, in my experience we started with the default HW reference (12 CPUs, 12 GB RAM, 300 GB disk), and then, analyzing the use of these resources, we defined to add some CPUs. In addition, you should define if these HFs are only concentrators or if they also do parsing, merging and typing phases, especially the parsing phase: many transformations requires more resources. Then, if you have many UFs, you could prefer to have three or four HFs instead of two with more resources, to avoid that the network interfaces are the bottleneck. As I said, this design requires at least a Splunk Architect or a Splunk PS. Ciao. Giuseppe

gcusello

Hi @masakazu , let me understand: do you want to manage the Cluster Manager using the DS or do you want to directly manage the Indexers using the DS? the second option isn't possible. For the first it's always better to deploy to the Cluster Manager apps (e.g. TA_indexes) and not the indexes.conf file in _cluster. Anyway, you have to configure as deployment folder the $SPLUNK_HOME/etc/managed-apps folder. Ciao. Giuseppe

gcusello

Hi @Satyams14 , it isn't a good idea adding a new question, even if on the same topic, to another question because with a new question you could have a quicker and probably better answer. Anyway, as I said in the previous answer, you have to install the Fortinet Add-On on the UF/HF that you're using to receive data and on the Search Heads. As I said I hint to use a rsyslog receiver that writes the logs on files that you read using the UF. Ciao. Giuseppe

gcusello

Hi @maede_yavari , the message means that you have to copy the app.conf from the default folder to the local one. Then, there's an error in outputs.conf: check it, if you want share it, eventually masking IP addresses. Ciao. Giuseppe

Posts	13089
Solutions	1993
Karma Given	316
Karma Received	3755
Member Since	‎01-02-2019

Online Status	Offline
Date Last Visited	41m ago

tracking Splunk modifications

identify the sender of an HEC data flow

Create custom fields at indextime on Heavy Forward...

Quarantined heavy Forwarder

Issues in adding a lookup field in a Data Model

information about Splunk audit events

Juniper switch add-on

Double sourcetype overriding

Connect winlogbeat log format to Splunk_TA_Windows

Priority (precedence) in props.conf

Re: how to create dependent dropdown?

Re: how to create dependent dropdown?

Re: how to create dependent dropdown?

Re: How to join or corelate 3 different index/sour...

Re: How to delete app from splunk search head?

Re: How to delete app from splunk search head?

Re: how to re-run the index again

Re: How to delete app from splunk search head?

Re: How to delete app from splunk search head?

Re: Filed extraction

Re: Alert to email the contents of the Security Po...

Re: About maintaining indexes.conf

Re: Alert to email the contents of the Security Po...

Re: Unusable Filesystem

Re: Licensing issue -

Re: appserver folder is not created automatically

Re: search head

Re: Installation via powershell on windows

Re: rex field command in props.conf file

Re: Alert Query not working as expected

Re: Installation via powershell on windows

Re: Limitation of Heavy Forwarder outputs?

Re: About maintaining indexes.conf

Re: How to configure Splunk forwarder to receive F...

Re: How to configure an app's outputs.conf to forw...