Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Prewin27
Prewin27
Contributor
Member since:
12-12-2019
Thursday
Community Statistics
| Posts | 111 |
| Solutions | 11 |
| Karma Given | 2 |
| Karma Received | 30 |
| Member Since | 12-12-2019 |
Activity Feed
- Got Karma for Re: add new fieldname to empty and also filled csv lookup. Friday
- Posted Re: Sometimes searches are not running on iPad on Splunk Search. Thursday
- Posted Re: The is_risky parameter not working as expected on Splunk Enterprise. Thursday
- Got Karma for Re: Writing regex for specific /var/log/*.log files. Thursday
- Posted Re: Writing regex for specific /var/log/*.log files on Getting Data In. Thursday
- Posted Re: Writing regex for specific /var/log/*.log files on Getting Data In. Thursday
- Posted Re: add new fieldname to empty and also filled csv lookup on Splunk Search. Thursday
- Posted Re: add new fieldname to empty and also filled csv lookup on Splunk Search. Wednesday
- Posted Re: Error saving event-based detection. Missing detection_id for the detection= on Splunk Enterprise Security. Wednesday
- Posted Re: Error saving event-based detection. Missing detection_id for the detection= on Splunk Enterprise Security. Wednesday
- Posted Re: Sometimes searches are not running on iPad on Splunk Search. Wednesday
- Got Karma for Re: Data Model Accelerations are very slow. Tuesday
- Got Karma for Re: Data Model Accelerations are very slow. Tuesday
- Posted Re: Replicate tags.conf between search heads on Splunk ITSI. Tuesday
- Posted Re: Data Model Accelerations are very slow on Knowledge Management. Tuesday
- Posted Re: [Errno -2] Name or service not known on All Apps and Add-ons. Tuesday
- Posted Re: Splunk install, upgrade on different hardware on Splunk Enterprise. Tuesday
- Posted Re: Data Model Accelerations are very slow on Knowledge Management. Tuesday
- Posted Re: Data Model Accelerations are very slow on Knowledge Management. Tuesday
- Got Karma for Re: Data Model Accelerations are very slow. Tuesday
Topics I've Started
No posts to display.
3 weeks ago
@dinesh001kumar Natively, Splunk Cloud Studio dashboards do not support playing audio alerts. As a workaround you can consider alert actions such as emails, webhooks, or integrations with external systems/scripts to play audio. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
3 weeks ago
2 Karma
@Sweets000 Did you remove ES Apps(/etc/apps/) from the CM(deployer in your case) after your deployment to shcluster apps folder, looks like your CM is running all the ES Apps searches(from /etc/apps/) which is causing skipped searches on CM. Remove ES from the CM’s Splunk instance: Stop Splunk on the CM. Remove the ES app directory from $SPLUNK_HOME/etc/apps/ on the CM. Start Splunk on the CM. Verify ES is only on SHC members: Ensure the ES app and its configurations are only present on the SHC members, deployed via the deployer ($SPLUNK_HOME/etc/shcluster/apps/). Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
3 weeks ago
1 Karma
@KishoreSrini Can you check if there is any permission issue? collectd: processmon plugin: Error reading /proc/3605381/stat collectd failed to read process stats, likely because the process with PID 3605381 ended or permissions were insufficient "/opt/splunkforwarder/var/log/splunk/splunkd.log": No such file or directory - Splunk couldn't access it's main splunkd.log file this also indicates about file unavailablity or permission issue Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
3 weeks ago
@bakeery Are you using sysmon add-on? #https://splunkbase.splunk.com/app/5709 Also refer below #https://community.splunk.com/t5/Getting-Data-In/Why-isn-t-the-Sysmon-Technology-Add-on-Parsing-my-Sysmon-Logs/m-p/370757 Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
@Emre You can use Splunk’s Field Extractions (props/transforms) or rex in your SPL to extract fields at search time For Eg: | rex field=_raw "Module:(?<Module>[^\n]+)" | rex field=_raw "Microflow:\s*(?<Microflow>[^\n]+)" | rex field=_raw "latesteror_message:(?<latesteror_message>[^\n]+)" | rex field=_raw "http status:\s*(?<http_status>\d+)" | rex field=_raw "Http reasonphrase\s*(?<Http_reasonphrase>[^\n]+)" But best practice is to structure the data at source itself. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
@sverdhan Try below with clients, | tstats count WHERE index=* by index sourcetype | rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)" | lookup appserverdomainmapping.csv clients OUTPUT NewIndex, Domain, Sourcetype | eval NewIndex=NewIndex.sensitivity | table clients, sensitivity, Domain, Sourcetype, NewIndex If you do not need to add clients, and to just display lookup fields you can use appendcols | tstats count WHERE index=* by index sourcetype | rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)" | appendcols [| inputlookup appserverdomainmapping.csv | fields Domain, Sourcetype, NewIndex] | eval NewIndex=NewIndex.sensitivity | table clients, sensitivity, Domain, Sourcetype, NewIndex Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
@sgarcia Blank h (host) values in license usage logs are due to Splunk's "squashing" process. This occurs to optimize log storage and performance when there are too many unique values to track individually If possible, analyze your actual event data Eg: index=wineventlog | stats sum(len(_raw)) as bytes by host | eval GB=round(bytes/1024/1024/1024, 2) | sort -GB Also check Licensing usage reports and to split by host for last 60 days if available or try from metrics.log to identify which ones have high thruput. index="_internal" source="*metrics.log" group="per_host_thruput" Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
1 Karma
@Anders333 Is it possible for you to configure the app to use standard log rotation (e.g., rename and create a new file when full, or truncate/append)? If you continue current log rotation, Splunk may miss or duplicate events, and reliable ingestion cannot be guaranteed. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
@chrisboy68 If you want the latest cost for each ID per month, try this, index=main | bin _time span=1mon | stats latest(Cost) as Cost latest(bill_date) as bill_date latest(_time) as _time by ID _time | table bill_date ID Cost _time Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
@new You can start with _internal index, For eg: index=_internal sourcetype=*addon* OR source=*ta_* OR source=*addon* Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
@jrodriguezap Can you try this, | eval pair=mvzip('Instance name', 'Search execution time', "||") | mvexpand pair | eval "Instance name"=mvindex(split(pair,"||"),0), "Search execution time"=mvindex(split(pair,"||"),1) | fields "Domain Name" "Instance name" "Last Phone home" "Search execution time" Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
@Andre_ Another option you can consider is to change the destination path for the Windows Event Logs in Event Viewer and configure Splunk to monitor this new location. This approach allows you to start collecting only new events, effectively avoiding the indexing of historical data. Additionally, by using the standard Splunk input settings (without current_only = 1), you ensure that no events are missed during restarts, as Splunk will continue to track and ingest all new events from the updated log file. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
With current_only = 1 On first start, the UF reads only new events that arrive after the input is enabled.It skips all historical events present in the log at the time the input is first started. If the UF is stopped and restarted, it will pick up where it left off (using checkpoints), so normally it will ingest events that occurred while it was down. #https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/get-windows-data/monitor-windows-event-log-data-with-splunk-enterprise Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
... View more
4 weeks ago
@sawwinnaung Try below, props.conf [linux_audit] TRANSFORMS-set = discard_proctitle [source::/var/log/audit/audit.log] TRANSFORMS-set = discard_proctitle transforms.conf [discard_proctitle] REGEX = type=PROCTITLE DEST_KEY = queue FORMAT = nullQueue Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
4 weeks ago
@Andre_ You are correct. Unlike file-based inputs, Windows Event Log inputs in Splunk Universal Forwarder (UF) do not provide a built-in option in inputs.conf to exclude events based on their age at collection time. This means you cannot natively configure the UF to only ingest Windows events newer than 7 days during onboarding. But, If you want to ingest only new Windows Event Log events (and skip all historical data), set current_only = 1 in your inputs.conf. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
4 weeks ago
@dinesh001kumar 1-Due to security restriction, normally you can't upload or reference custom js files directly in the cloud. You can raise a support request to include simple xml js extensions for review and to upload it for you. 2-You can use the <html> panel in Simple XML dashboards for custom HTML, but it is limited. Normally you cannot use inline JavaScript, and some HTML elements may be restricted. Alternative - Unfortunately use the built-in features of Dashboard Studio or Simple XML extensions. For specific needs, reach out to Splunk Cloud Support to request a review and upload of vetted JS/CSS files. Audio Support-Dashboard Studio does not natively support embedding or playing audio files. As a workaround, you could set up external alerting (e.g., send a webhook/email to a system that plays audio) Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
4 weeks ago
@Trevorator I dont think there is any Splunk setting to enable automatic retry or continuation for .tsidx file operations. The only way to ensure all data is accelerated and .tsidx files are preserved is to maintain a healthy infrastructure and address any resource limitations. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
a month ago
1 Karma
@Trevorator After the initial creation of data model acceleration summaries, Splunk regularly runs scheduled summarization searches to incorporate new data and remove information that is older than the defined summary range. If a summarization search exceeds the Max Summarization Search Time limit, it is stopped before completing its assigned interval. Normally, Splunk does not automatically retry or continue the interrupted summarization for that specific time window, which can result in gaps in your accelerated data if summarization searches repeatedly fail or time out. These gaps mean that some events will not be included in the .tsidx summary files, causing searches that rely on tstats summariesonly=true to miss those events I would say best approach is to address the resource constraints causing your summarization searches to run too long. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
a month ago
@bspalding Use initCrcLength if your files are extremely similar at the start and the UF is getting confused Eg: Note-Change initCrcLength value based on your similar header size [monitor://E:\path\logfile*.log] disabled = 0 initCrcLength = 256 crcSalt = <UNIQUESOURCE> index = XXXX sourcetype = XXXX _meta = env::prod-new Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
06-11-2025
08:53 PM
@Raghavsri Whats the version of splunk you are running? Also to start with, check few options. Review logs: Look for errors, warnings, or abnormal behavior in splunkd.log Check destination health: Ensure that SyslogNG and the second indexer cluster are healthy and accepting data efficiently Also If HF2 is not able to forward data fast enough (due to network, destination, or performance issues), the queue fills up, consuming memory Memory upgrade: Increasing memory on HF2 may help if the issue is due to legitimate high data volume and not a leak or misconfiguration. However, if the problem is a memory leak/bandwidth issue, increasing memory will only delay the inevitable crash Load Balancing: Consider load balancing across multiple HFs if possible, to distribute the data load Monitor memory usage: Set up alerts for high memory usage to detect issues early. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
06-10-2025
11:37 PM
@SN1 If you must move indexed data from the indexer to the Search Head, you can copy the data files, Stop Splunk on both the indexer and the Search Head. Copy the index data directories from the indexer to the Search Head: Example: Copy $SPLUNK_HOME/var/lib/splunk/<index_name> from the indexer to the same path on the Search Head. Ensure file ownership,permissions,storage size,os and splunk versions are correct on the Search Head. Also make sure you have configuration for the indexes.conf for the indexes you have. Start Splunk on the Search Head. Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
06-10-2025
11:17 PM
@SN1 To clarify your scenario, You want Search Head to query the indexer for data as needed or having data on the Search Head for testing/some reason without using the indexer?
... View more
06-10-2025
09:31 PM
@a1bg503461 The error highlights that, opt_ca_certs_path is not defined in your configuration Are you using SSL/TLS with Elasticsearch? If yes Make sure you mention your .crt path in your config Eg: opt_ca_certs_path = /path/to/your/ca.crt If you are not using SSL/TLS, then try below in your config use_ssl = 0 # opt_ca_certs_path = Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
06-10-2025
09:14 PM
1 Karma
@cdevoe57 As mentioned by @bowesmana Its not best to use join, as it can sometimes cause fields from lookup to be lost. but anyway can you try below if you still want to use join, | inputlookup system_info.csv | eval System_Name=System | join type=left System_Name [ | search index=servers sourcetype=logs | stats latest(_time) as Time by System_Name | eval mytime=strftime(Time,"%Y-%m-%dT%H:%M:%S") | eval now_time = now() | eval last_seen_ago_in_seconds = now_time - Time ] | stats values(*) as * by System_Name | lookup system_info.csv System_Name OUTPUT Location Responsible | eval MISSING = if(isnull(last_seen_ago_in_seconds) OR last_seen_ago_in_seconds>7200,"MISSING","GOOD") | where MISSING=="MISSING" | table System_Name Location Responsible MISSING or you can also try and check below, without join. index=servers sourcetype=logs | stats latest(_time) as Time by System_Name | eval last_seen_ago_in_seconds = now() - Time | eval MISSING = if(isnull(last_seen_ago_in_seconds) OR last_seen_ago_in_seconds>7200, "MISSING", "GOOD") | where MISSING=="MISSING" | lookup system_info.csv System_Name OUTPUT Location Responsible | table System_Name Location Responsible MISSING last_seen_ago_in_seconds | sort -last_seen_ago_in_seconds Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
06-10-2025
08:50 PM
@caschmid \d+ matches only digits, not any word. If "This is my" is always constant, you can try below rex field=_raw "This is my (?<string>\w+)" | stats count by string Regards, Prewin Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
