Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About vishaltaneja070
vishaltaneja070
Motivator
Member since:
03-09-2020
01-20-2022
Community Statistics
| Posts | 352 |
| Solutions | 30 |
| Karma Given | 0 |
| Karma Received | 69 |
| Member Since | 03-09-2020 |
Activity Feed
- Got Karma for Re: Renewing server.pem certificate. 06-12-2025 09:02 AM
- Got Karma for Re: Renewing server.pem certificate. 11-20-2024 07:52 AM
- Got Karma for Re: How do I retrieve the first and last date from each month?. 05-22-2024 06:59 AM
- Got Karma for Re: How to restart Universal Forwarder via the deployment server?. 01-23-2024 05:36 AM
- Got Karma for Re: How do I renew a Splunk forwarder's default certificate?. 09-19-2023 01:14 AM
- Got Karma for Re: Renewing server.pem certificate. 07-19-2023 08:57 AM
- Got Karma for Re: Can you help me with the following mongod kvstore error?. 04-05-2023 02:07 PM
- Got Karma for Re: What is the purpose of the sourcetype "stash_new"?. 12-02-2022 02:59 AM
- Got Karma for Re: Renewing server.pem certificate. 11-01-2022 11:11 AM
- Got Karma for Re: Renewing server.pem certificate. 09-29-2022 02:08 AM
- Got Karma for Re: Search factor vs Replication factor. 08-03-2022 06:58 AM
- Got Karma for Re: Renewing server.pem certificate. 07-12-2022 06:40 AM
- Got Karma for Re: How do I renew a Splunk forwarder's default certificate?. 03-10-2022 09:20 AM
- Got Karma for Re: Renewing server.pem certificate. 03-02-2022 07:20 AM
- Got Karma for Re: Renewing server.pem certificate. 03-02-2022 06:06 AM
- Got Karma for Re: Renewing server.pem certificate. 02-10-2022 03:39 AM
- Got Karma for Re: Splunk eval if with wildcard. 01-24-2022 06:19 AM
- Posted Re: Splunk DB connect connection to AWS Athena on Splunk Enterprise. 01-20-2022 01:39 AM
- Posted Splunk DB connect connection to AWS Athena on Splunk Enterprise. 01-19-2022 08:04 AM
- Got Karma for Re: Renewing server.pem certificate. 01-08-2022 08:36 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-10-2019
01:14 AM
Even sometimes, no saved search specified as well.
... View more
10-10-2019
01:07 AM
In one of servers, we are getting search is waiting warning for quite long time. It takes around 10 seconds after that it will be loaded.
... View more
09-26-2019
06:49 AM
@bwooden Not working in Windows CLI.
... View more
09-26-2019
12:47 AM
Hello All,
Some of the queues are getting blocked in Splunk. Need help to solve it.
... View more
09-03-2019
12:09 AM
@kamlesh_vaghela
then it is the issue with versioning this feature has been added after 7.1. I have tested it in 7.2 it is working as what I mentioned above.
... View more
08-30-2019
03:38 AM
@kamlesh_vaghela
yes correct, Admin icon is coming but it is not opening in new tab.
... View more
08-30-2019
12:49 AM
Need to know if any one has solution of open in new tab option in nav, like we do in html or xml i.e. target="_blank"
Tried with something like this but didn't work:
<a href="admin" target="_blank">Admin</a>
... View more
- Tags:
- nav
- splunk-enterprise
08-01-2019
12:17 AM
Hello All,
If one user is part of multiple LDAP groups which are linked in Splunk. Which one will he assigned to?
Like we do map of roles with LDAP group.
Thanks !
... View more
07-19-2019
05:07 AM
You can do it like this:
you have to use transform to change the sourcetype like below:
props:
[source::/opt/app/logs/openam/authentication.audit.json]
TRANSFORMS-changesourcetype = newsourcetype
transforms:
[newsourcetype]
REGEX = .
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::Forgerock
... View more
07-12-2019
03:10 AM
Hello
I have used the below setting in props, but the first event is not able to extract the timestamp:
[sourcetype]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%m/%e/%Y %H:%M:%S %p
TIME_PREFIX=[\r\n]+
MAX_TIMESTAMP_LOOKAHEAD=50
LINE_BREAKER=([\r\n]+)(\/\/\s[\-]+\s\/\/)
BREAK_ONLY_BEFORE=([\r\n]+)(\/\/\s[\-]+\s\/\/)
TRUNCATE=0
SEDCMD-EXTRALINES=s/\/\/\s[\-]+\s\/\///g
Event Sample
6/12/2019 4:12:40 AM (6/12/2019 8:12:40 AM) LogLevel=Information
Process_ID=6175, Thread.Thread_ID=8588 Thread.Thread_Name=()
Message=c
Extended Properties
Origin=hxhdgjshjs
TrackingToken=1c1fb75e-jdhhdd-jdhjdhd
// ----------- //
6/12/2019 4:13:40 AM (6/12/2019 8:13:40 AM) LogLevel=Information
Process_ID=6175, Thread.Thread_ID=85883 Thread.Thread_Name=()
Message=c
Extended Properties
Origin=hxhdgjshjs
TrackingToken=1c1fb75e-jdhhdd-jdhjdhd
// ----------- //
6/12/2019 4:14:40 AM (6/12/2019 8:14:40 AM) LogLevel=Information
Process_ID=6175, Thread.Thread_ID=85488 Thread.Thread_Name=()
Message=c
Extended Properties
Origin=hxhdgjshjs
TrackingToken=1c1fb75e-jdhhdd-jdhjdhd
// ----------- //
Also I don't want to use SHOULD_LINEMERGE=true. Thanks!
... View more
07-08-2019
04:16 AM
Hello @aala
I think the issue is with the regex, it should be like:
[setnull]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = nullQueue
Always test the regex first on https://regex101.com/ if the regex is able to match the event then it will work great.
And also no need to restart Splunk again and again for this, you can directly run on any browser:
http://<your-splunkserver>:8000/en-US/debug/refresh
... View more
07-08-2019
04:12 AM
@FrankVl
I have given one example the format changes in different logs, i need some generalised thing which can work for all kind of logs.
... View more
07-08-2019
04:09 AM
@ajitshukla
Can you please check the internal logs and see if they are getting spiked because of hardware restrictions.
... View more
07-08-2019
04:04 AM
Hello @aalaa,
That would be easy to do. If you know which source it is then use props and transforms to do it.
Please check the below link:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Forwarding/Routeandfilterdatad
... View more
07-05-2019
05:46 AM
@eholz1
Did you check the mongod,log file which is available in var\log\splunk\mongod.log
... View more
07-05-2019
05:39 AM
Hello @NirajAlly
If for every instance you are getting different events then it will be pretty east easy
as for every field which is visible on the json above will have one field available in interesting field
Just click on All fields and try to search idle,you will see the field exists and use that to run the chart command.
... View more
07-05-2019
05:22 AM
Hello @ajitshukla61116
You need to assign user schedule_rtsearch capability
Please find the below link which can give you better idea:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities
... View more
07-05-2019
05:15 AM
@twh1
I would suggest you two ways here:
1. Use automatic lookup based where for sourcetype="test:data"
in input fields you can mention PROC_CODE and if you want fields from lookup them you can use field value override option.
By using that the fields will be automatically will be available in search
like
index="test_data" sourcetype="test:data" | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE
Other way is using lookup as suggested by @gcusello in comments:
like
index="test_data" sourcetype="test:data"
| lookup PROC_CODE as PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE
| table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE
... View more
07-02-2019
03:28 AM
@vnravikumar
Thanks It worked!
... View more
07-02-2019
12:58 AM
In this they have example for column based,not with row based. I need to setup using row based.
... View more
07-02-2019
12:50 AM
Need to add icons based on a row in Splunk Dashboard
Like:
ICONS should be:
Down: 'alert-circle',
Unknown: 'question-circle',
Up: 'check-circle',
N/A: 'question-circle',
Warn: 'warning-sign'
Below is the dashboard sample code:
<dashboard>
<label>Color</label>
<row>
<panel>
<title>Color</title>
<table>
<search>
<query>| makeresults | eval A="UP" | eval B="DOWN" | eval C="UNKNOWN" | eval D="N/A" | eval E="WARN" | eval F="UP" | fields - _time</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">100</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</dashboard>
The number of columns can be increased.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-20-2022
01:06 PM
|
