Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Learn Splunk
- :
- About anandhalagaras1
anandhalagaras1
Contributor
Member since:
10-15-2019
01-02-2025
Community Statistics
| Posts | 331 |
| Solutions | 0 |
| Karma Given | 26 |
| Karma Received | 7 |
| Member Since | 10-15-2019 |
Activity Feed
- Karma Re: Migrating Our Splunk Deployment Master Server From Azure To On-Premises for richgalloway. 12-06-2024 02:48 AM
- Karma Re: Silent Install of UF in Linux Client Machines for PaulPanther. 12-06-2024 02:47 AM
- Karma Re: Install The Forwarder Credentials On Individual Forwarders In *nix for richgalloway. 12-06-2024 02:24 AM
- Karma Re: Migrating Our Splunk Deployment Master Server From Azure To On-Premises for richgalloway. 11-07-2024 02:38 AM
- Karma Re: Max Lines Value Update In Search & Reporting App for deepakc. 05-15-2024 03:17 AM
- Karma Re: Data Masking Before Ingestion for marnall. 05-02-2024 04:58 AM
- Karma Re: Data Masking Before Ingestion for gcusello. 05-02-2024 04:58 AM
- Karma Re: AWS GuardDuty Logs to Splunk Cloud for deepakc. 05-02-2024 04:56 AM
- Karma Re: Combine Multiple Queries output and produce the result in table format for ITWhisperer. 05-02-2024 04:56 AM
- Karma Re: Data Masking for gcusello. 11-06-2023 11:13 PM
- Got Karma for Re: Splunk Supporting Add-on for Active Directory Issue. 10-17-2023 01:18 AM
- Got Karma for Re: Getting a Message during Reload in DM Server. 08-17-2023 06:15 AM
- Got Karma for Re: File Integrity Check Error in Heavy Forwarder Server. 08-17-2023 06:15 AM
- Karma Re: Getting a Message during Reload in DM Server for richgalloway. 08-17-2023 05:42 AM
- Karma Re: File Integrity Check Error in Heavy Forwarder Server for richgalloway. 08-17-2023 05:39 AM
- Got Karma for Splunk Fundamentals Training Courses 1,2 & 3. 05-24-2023 01:02 AM
- Posted Splunk Fundamentals Training Courses 1,2 & 3 on Training + Certification Discussions. 05-23-2023 10:47 PM
- Karma Re: 2008 Windows R2 Client Machine Splunk UF Installation for gcusello. 02-06-2023 05:50 AM
- Karma Re: Filter IIS Logs with 80 and 443 for gcusello. 02-06-2023 02:58 AM
- Got Karma for Re: Splunk Universal Forwarder Upgrade From 8.2.4 to 9.0.2. 11-23-2022 05:35 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-03-2022
02:09 AM
Hi @anandhalagaras1, the Trigger Condition: if there isn't any result in the search the alert triggers. Think about what I said about time period! Ciao. Giuseppe
... View more
07-05-2022
03:20 AM
Hi All, Our Search heads are with Splunk Cloud version 8.2.2203.2 and there is a requirement from our application team to use Stream Processor Service that is part of Splunk offering (Ref: https://docs.splunk.com/Documentation/StreamProcessor/standard/Admin/About) for Wineventlog and IIS logs. Is it something specific we need to purchase as a license? Or will it come with my Splunk Cloud subscription? So when I checked the document it is mentioned as Get access to a tenant and the Stream Processor Service https://docs.splunk.com/Documentation/StreamProcessor/standard/Admin/About#:~:text=Log%20in%20with%20your%20splunk,for%20the%20Stream%20Processor%20Service. So kindly let me know who will be the Stream Processor Service team? And also it has been mentioned to configure templates and other stuffs so kindly let me know how to proceed further.
... View more
Labels
- Labels:
-
monitor
06-30-2022
07:46 AM
Token authentication mechanism kind of works in parallel with SAML, so it requires SAML Attribute Query support in order to retrieve the information about group membership. Without AQR, this can be done with a script which extends Splunk auth and retrieves the information about group membership on its own, without AQR. You have 3 possible options: 1. Use identity provider which supports Attribute Query (AQR) 2. Use Azure or Okta since Splunk has auth extensions for them out of the box 3. Create your own authentication extension. If I'm not mistaken, Splunk cloud doesn't support auth extensions, so option 3 might be not applicable to your case.
... View more
05-27-2022
03:15 AM
Hi @anandhalagaras1, sorry, I didn't understand that you're using Splunk Cloud, anyway, go in the Cloud Monitoring Console to [Liense Usage -- Ingest -- Split by host] and you have the starting point search to modify adding the additional filter. In other words: (index=_internal host=*.*splunk*.* NOT host=sh*.*splunk*.* source=*license_usage.log* type="Usage")
| eval h=if(((len(h) == 0) OR isnull(h)),"(SQUASHED)",h)
| eval s=if(((len(s) == 0) OR isnull(s)),"(SQUASHED)",s)
| eval idx=if(((len(idx) == 0) OR isnull(idx)),"(UNKNOWN)",idx)
| search h IN (abc, def, gih, xyz, vbg)
| timechart span=1d eval(round((sum(b)/pow(2,30)),3)) AS Volume by h
| append [ | search
(index=summary source="splunk-ingestion" earliest=-30d@d)
| bin _time span=1d
| stats max(ingest_license) as license by _time
]
| stats values(*) as * by _time
| rename license as "license limit"
| fields - volume Ciao. Giuseppe
... View more
05-12-2022
09:54 AM
If I recall correctly, there are no interim steps needed for that upgrade, but the Release Notes will confirm that.
... View more
04-06-2022
03:58 AM
It looks like _time might not work well with scatter charts 🤐 If the times are all from the same day, you could use mod 84600 | eval time=_time%84600
| fields - _time
... View more
12-31-2021
06:52 AM
1 Karma
There is no method to "push" an app from the Deployment Server (DS) to clients. What happens is the client contacts the DS, gets a list of apps, then downloads those apps that have changed recently. Once you download and unpack the splunkclouduf.spl file into the deployment-apps directory, all should be good. The DS will take care of everything.
... View more
07-20-2021
06:36 AM
Can anyone kindly to check and update me on the same.
... View more
07-16-2021
09:01 AM
Hi Team, I have installed PingAccess (https://splunkbase.splunk.com/app/5368/) and PingFederate (https://splunkbase.splunk.com/app/976/) app in our Splunk Search head and based on this below mentioned documentation we have edited the log4j2.xml file in the client machines where pingaccess and pingfederate app has been installed. post which I can see a huge amount of files log files got generated in /log directory and I have ingested all the log files into Splunk. Documentation Link: https://docs.pingidentity.com/bundle/pingfederate-102/page/qst1564002981075.html https://docs.pingidentity.com/bundle/pingaccess-62/page/gyx1564006725145.html But when I navigated to the app and I couldn't able to see any data in the dashboard ? And it is showing as no results and search is waiting for inputs. So do i need to configure additional things to reflect in the dashboard? Since in both the apps I couldnt able to see any data getting populated so kindly help on the same. FYI. I have ingested all the log files using an index as main and for all the logs from pingaccess i used the sourcetype as pingaccess and for all the log files from pingfederate i used the index as main and sourcetype as pingfederate. And the logs from pingconsole i used the index as main and sourcetype as pingconsole. So am i missing anything in the configuration kindly let me know since I want the dashboard to work as expected.
... View more
06-14-2021
11:42 PM
@anandhalagaras1 if you still wish to proceed refer this link - Solved: Filtering events using NullQueue - Splunk Community # props.cong setting
[your_sourcetype]
TRANSFORMS-delete = sendtonullqueue
# transforms.conf settings
[sendtonullqueue]
REGEX = <this_should_match_your_body_uniquely>
DEST_KEY=queue
FORMAT=nullQueue
#Both these settings shall be deployed to indexer/HF ---- An upvote would be appreciated if it helps!
... View more
05-12-2021
05:41 AM
Splunkbase has several apps and add-ons available for Teams. See https://splunkbase.splunk.com/apps/#/search/teams/
... View more
05-07-2021
04:09 AM
Thank you I have upgrade the add-on to the latest version post which it is working fine as expected. Thanks for your prompt response.
... View more
04-23-2021
08:09 AM
Hi @anandhalagaras1, you could insert in inputs.conf the requirement of whitelisting only EventCodes 4624 and 4634 and this is easy (for more infos see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Admin/Inputsconf); whitelist1 = EventCode=4624
whitelist2 = EventCode=4625 but remember that in tjhis way you're losing the choice to monitor other events (e.g. logfail 4625). About the other requirement is more difficoult because, as I said and you surely know, windows eventlogs are very verbose and complicated, so in the same event there are more values for the Accountname field, so you cannot discard events with Accountname=*$ because, maybe in the other values of the same event there's what you're searcing for. Ciao. Giuseppe
... View more
04-15-2021
01:19 AM
Hi Team, Can anyone help on my query please.
... View more
04-08-2021
06:32 AM
I do this with sparkline. It's not based on time but on log count in the _internal index. No logs being sent by host in _internal generally means something is wrong. This isn't the 15m solution you were looking for but wanted to share in case you wanted to implement something similar. You could use bin to create 15m buckets of _time. index=_internal sourcetype=splunkd destPort!="-"
| stats sparkline count by hostname, sourceHost, host, destPort, version
| rename destPort as "Destination Port", host as "Indexer", sourceHost as "Forwarder IP", version as "Splunk Forwarder Version", hostname as "Forwarder Host Name", sparkline as "Traffic Frequency"
| dedup "Forwarder Host Name"
| sort - count
| where count < 20 You can play around with the count as well. I try to look for forwarders that aren't just completely dead but aren't communicating as much as normal as well.
... View more
03-31-2021
10:16 PM
I suppose that you are using bash on that host. Then just add to user splunk's (or what ever is your splunk user) ${HOME}/.bashrc the next line alias splunk_ds = /opt/splunk/bin/splunk then source it (source ~splunk/.bashrc) into shell or log in again to that user. After that you could use that command splunk_ds when you needs splunk in cli.
... View more
03-28-2021
10:59 PM
@richgalloway Thank you for the information.
... View more
03-22-2021
08:56 AM
Try installing the Readiness app on a search head.
... View more
03-21-2021
10:57 PM
Hi Team, I have recently installed the PingAccess App for Splunk & PingFederate App for Splunk in our Search head but I couldn't able to see any information in the Dashboards listed. When I navigate to the Dashboards I can able to see a message as " Search is waiting for input..." and in all other dashboard the same message so do we have anything like Inputs which needs to be configured from our end. And if yes, Where should we need to configure it since there is no documentation for the configuration also I couldn't able to find anything in Data inputs as well. So kindly help on my query.
... View more
Labels
03-12-2021
04:27 AM
Can anyone help on my requirement if possible.
... View more
03-09-2021
01:48 AM
Hi All, Can anyone help on my requirement.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-02-2025
06:22 AM
|
