Hi, We have created a saved search in-order to trigger from this eventtype=snow_ta_collector_error OR eventtype=snow_ta_log_error. Based on this, we could there were continuous email with this error message are getting triggered. when searched in the ta_snow_main.log found the below message. index=_internal sourcetype=ta_snow source="/opt/splunk/var/log/splunk/splunk_ta_snow_main.log" 2018-06-11 07:19:44,265 ERROR pid=57217 tid=Thread-18 file=snow_data_loader.py:do_collect:169 | Failed to connect https://test.service-now.com/api/now/table/cmdb_rel_ci?sysparm_display_value=false&sysparm_limit=1000&sysparm_exclude_reference_link=true&sysparm_query=sys_updated_on>=2018-06-09+04:03:19^ORDERBYsys_updated_on, reason=Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/snow_data_loader.py", line 161, in _do_collect "Authorization": "Basic %s" % credentials File "/opt/splunk/etc/apps/Splunk_TA_snow/bin/httplib2/init_.py", line 1593, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) Kindly guide me on to troubleshoot the issue. ... View more

Hi had a question from my security team that is, where it will be highly secure to palace the props and transforms configuration file in the splunk environment. I had answered him as Heavy forwarder / Indexer. But not sure whether my answer is correct or not, could please answer this. thanks in advance. ... View more

Hi All, We have a customer requirement to get the SCCM information in splunk, so to do this, we have downloaded the SCCM app from splunk base https://splunkbase.splunk.com/app/2750/ link text and we are using splunk 6.6.1 enterprise splunk instances. The app was successfully installed into the splunk environment, but we are not sure how to configure this app to get the required data from the SCCM. Kindly guide me on this. SCCM version 1.0 Splunk enterprise version 6.6.1 ... View more

Hi, I am getting the following message after installing the db connect add-on 3.1.3 version. We wanted to test the SCCM app, and which requires db connect add-on to configure the inputs. We are using Splunk Trial version 6.6.1 Error details: Unable to initialize modular input "server" defined inside the app "splunk_app_db_connect": Introspecting scheme=server: script running failed (exited with code 1). Kindly guide me how to fix this issue. ... View more

Hi, I'm sure this is really simple but I've been unable to figure out the exact regex to capture the hostname value from the event logs. Sample data: May 29 14:51:56 deast01pano.xxxxx.com 1,2018/05/29 14:51:56,012501001022,6553964590112973819,0x8000000000000000,USERID,login,2049,2018/05/29 14:51:50,0,0,0,0,vsys1,dwest01fw,1,vsys1,10.142.10.172,xxxxx\pulse,deast01fwua.xxxxx.com,0,1,2700,0,0,agent,,0,0,,2018/05/29 14:51:47,1,0,0,0x0,xxxxx\pulse I want to capture dwest01fw and replace it in the host field. I tried this regex and tested in regex101.com but it failed to capture the host . USERID,.+,vsys1,(\w+).+$ Transform syntax : [pan_vsys1_host] REGEX = USERID,.+,vsys1,(\w+).+$ DEST_KEY = MetaData:Host FORMAT = host::$1 Kindly guide me on this. ... View more

Hi All, Currently, I have been requested to build a dashboard to pull the IP address information from various sources of an index. Based on the requirement, I had created a two common input field (Text input and Time picker input) using the token to sync the value to all the panels. Dashboard Panel output Details: 1) Host Name (DNS resolved lookup) 2) DNS queries for this IP address 3) DHCP history for this IP address 4) Firewall log for this IP address 5) Proxy log for this IP address 6) Citrix connection for this IP address All the above dashboard panels share different index details but they have these one field common "src". Challenge: using the common field "src" I have passed the token value but I am finding it difficult to get the output for all the six dashboard panels. EXample: Suppose if the IP address is 10.140.20.22, when this applied in the input token and filter with time picker, I am getting the output to some of the dashboard panels, for other dashboards it shows no result found. Query Details: Dashboard 1: index=network sourcetype=infoblox:network:dhcp src="$IP$" | dedup src | lookup dnslookup clientip as src OUTPUT clienthost as Hostname | table Hostname Dashboard 5: index=application sourcetype=citrix:netscaler:syslog | rex field=src "(?(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}))" | search src="$IP$" | rename src as Source |table Source Destination NatIP Vserver dvc In this panel, I am getting no result found. Exact requirement: Need to know whether the logic is correct by taking the common field as "SRC" and passing the input value to this field. Kindly guide me on this. ... View more

Hi, I got a request to create a dashboard to get the information on the ipaddress, with multiple panels and one input text tokens, another with Time Picker. One of the Dashboard panel output should contain Hostname (resolved by dns lookup). I was referring the below link to understand https://answers.splunk.com/answers/105246/dns-resolution-in-a-search.html But unable understand the query referred in the link. I mean What search string should be placed before the pipe symbol? | lookup dnslookup clientip as dst OUTPUT clienthost as DST_RESOLVED Could anyone guide me on the query which can fetch the Hostname (resolved by dns lookup). ... View more

Hi All, We would like to added the IIS logs and Apache logs to the CIM model for the Web, not sure what exactly needs to be done to achieve this. So could please guide me on this. thank in advance. ... View more