×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- About morethanyell
morethanyell
Builder
Member since:
06-18-2018
03-20-2025
Community Statistics
| Posts | 180 |
| Solutions | 11 |
| Karma Given | 72 |
| Karma Received | 23 |
| Member Since | 06-18-2018 |
Activity Feed
- Got Karma for Re: Using the transforms.conf file to only forward events that match a regex.. 04-01-2025 11:41 AM
- Posted Which TA is able to collect Azure App Insights? on Getting Data In. 04-23-2024 08:25 AM
- Posted Re: Why is my powershell script for input-stanza not working? on Getting Data In. 10-17-2023 01:14 PM
- Posted Re: Why is my powershell script for input-stanza not working? on Getting Data In. 10-17-2023 04:45 AM
- Posted Re: Why is my powershell script for input-stanza not working? on Getting Data In. 10-16-2023 02:33 PM
- Posted Why is my powershell script for input-stanza not working? on Getting Data In. 10-16-2023 02:09 PM
- Got Karma for Re: KV Store Process Terminated. 10-09-2023 08:35 AM
- Got Karma for Re: Splunk DB Connect: How to resolve "Can not communicate with task server, check your settings" error messag. 10-04-2023 07:56 AM
- Posted Cisco Meraki Syslog - Bytes In, Bytes Out on All Apps and Add-ons. 09-14-2023 12:32 PM
- Posted Re: Why a complete 9997 traffic still fails? on Getting Data In. 09-12-2023 02:56 PM
- Posted Re: Why a complete 9997 traffic still fails? on Getting Data In. 09-08-2023 03:03 PM
- Posted Re: Why a complete 9997 traffic still fails? on Getting Data In. 09-08-2023 10:21 AM
- Posted Why a complete 9997 traffic still fails? on Getting Data In. 09-08-2023 09:02 AM
- Posted Re: Splunk DB Connect: How to resolve "Can not communicate with task server, check your settings" error messag on All Apps and Add-ons. 08-22-2023 10:39 AM
- Got Karma for How can I produce a timechart with 1 month span the average of count per day?. 07-28-2023 03:26 AM
- Posted Windows Event Value is `%d` for EventCode=1102 EventType=4 on Splunk Enterprise. 04-20-2023 07:12 AM
- Posted Dashboard Studio Underlying CSS Failure / UI Broken on Splunk Enterprise. 04-14-2023 07:29 AM
- Posted Re: How to get the size of a lookup file from Splunk search on Splunk Enterprise Security. 01-26-2023 03:33 PM
- Got Karma for Is it possible to get the value of a specific row of the $result.$?. 01-20-2023 04:18 AM
- Posted Re: Why can't we re-assign Calculated Fields' ownership via WebUI? on Knowledge Management. 01-09-2023 12:09 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-23-2024
08:25 AM
Question in the title. Thanks in advance!
... View more
Labels
- Labels:
-
inputs.conf
10-17-2023
01:14 PM
I have very little experience with scripting.
... View more
10-17-2023
04:45 AM
Thanks to reddit user u/chadbaldwin who pointed out that the fault was in using `Write-Host` rather than `Write-Output`; whereas `Write-Host` isn't something Splunk is able to capture. Replaced the script to use `Write-Output` and it's now working.
... View more
10-16-2023
02:33 PM
In inputs.conf - Splunk Documentation, it says [powershell://<name>]
schedule = [<positive integer>|<cron schedule>]
* How often to run the specified PowerShell command or script.
* You can specify a number in seconds, or provide a valid cron
schedule.
* Default: Runs the command or script once, at startup.
... View more
10-16-2023
02:09 PM
Hi community! I've tried and exhausted all my brain cells but I still couldn't make this work. Any ideas? Below is deployed into a Windows 11 machine, running UF 9.1.1 splunk-playground/TA-powershell_scripting/local/inputs.conf at main · morethanyell/splunk-playground (github.com)
... View more
Labels
- Labels:
-
heavy forwarder
-
scripted input
09-14-2023
12:32 PM
Do you happen to know if Cisco Meraki syslog, especially Flows and URLs have bytes in and bytes out? We're logging Meraki and there's no field whatsoever for bytes. Is it something that can be configured from Meraki logger console? Or the actual solution itself don't record that?
... View more
Labels
09-12-2023
02:56 PM
Network team confirms that the traffic couldn't return back to the source due to routing issue. The traffic from the src to dest via port 9997 ends only in the first SYN and the ACK couldn't go back.
... View more
09-08-2023
03:03 PM
Found one evidence that problem is network. At least, finally, I have proof that the network team has to fix it. Basically, I ran a network search from multiple srcs in the same subnet towards the HF:9997. And displayed the bytes_in. This one UF that I have a problem with has bytes_in=0. And the rest has bytes_in comparable to bytes_out. SPL: sourcetype=pan:traffic src=10.68.x.x/16 dest=10.68.p.q dest_port=9997 | stats sparkline(sum(bytes_out)) as bytes_out sparkline(sum(bytes_in)) as bytes_in sum(bytes_in) as total_bytes_return by src dest dest_port This SPL returns hundreds of rows and when I sort by total_bytes_return, there's a flat line for bytes_in and 0 for the field total_bytes_return for this UF in concern. I can sleep now and pass this over to network team.
... View more
09-08-2023
10:21 AM
the splunkd.log is from UF - my bad for erroneously writing "HF's splunkd.log" on the caption. The UF can't complete the 9997 to the HF despite all evidence (at network level). - 9997 is allowed - Firewall logs show traffic is allowed - Other UFs with same IP subnet can do the 9997 no problem (e.g. all UFs: 10.68.0.0/16, dest HF: 10.68.2.2:9997) Why other UFs can, e,g. 10.68.10.10, 11, 12, 13, 14, 15 and many more ---> 10.68.2.2:9997 == OK but this particular one 10.68.10.16 ---> 10.68.2.2:9997 == results to "An existing connection was forcibly closed by the remote host." and "The TCP output processor has paused the data flow. Forwarding to host_dest=10.68.2.2"
... View more
09-08-2023
09:02 AM
I have a UF that's configured to forward to a healthy intermediate HF (9997) . The UF is producing "forcibly closed" errors but the HF is healthy and is accepting TCP 9997 from other UFs. What could be the reason for this? Troubleshooting attempts made: 1. Confirming with network team that rules are in place. 2. TCP Dump from the dest (HF), packets received. 3. Telnet from UF to dest (9997), telnet completes. Any other things I missed? tcpdump from the HF HF's splunkd.log
... View more
Labels
- Labels:
-
universal forwarder
08-22-2023
10:39 AM
1 Karma
Make sure KV Store is enabled (splunk show kvstore-status). I spent 4 hours trying to figure out what's wrong with my instance. Nothing in Splunk docs says that Splunk DB Connect requires KV Store to be enabled.
... View more
04-20-2023
07:12 AM
Has anybody encountered Windows Security logs that look like this? If so, how did you guys fix it? Thanks in advance.
... View more
Labels
- Labels:
-
administration
-
configuration
04-14-2023
07:29 AM
Has anyone experienced this kind of broken UI on Dashboard Studio? I've tried to restart Splunk but it's still happening.
... View more
Labels
01-26-2023
03:33 PM
Please try this new custom command I built: https://splunkbase.splunk.com/app/6735
... View more
01-09-2023
12:09 PM
ChatGPT's response to my question: ``` In Splunk, it is not possible to re-assign the ownership of a calculated field via the WebUI. This is because calculated fields are owned by the user who creates them, and the ownership cannot be transferred to another user. The reason for this is that calculated fields are considered a type of saved search, and saved searches are owned by the user who creates them. Saved searches are a fundamental component of Splunk, and they play a vital role in many different aspects of the product. As a result, the ownership of saved searches is tightly controlled to ensure that users have full control over their own searches and are not able to access or modify the searches of other users. If you want to transfer ownership of a calculated field to another user, you will need to delete the calculated field and have the other user create a new calculated field with the same definition. Alternatively, you could share the calculated field with the other user, which would allow them to use it in their own searches and dashboards, but not to modify or delete it. ```
... View more
01-09-2023
12:06 PM
Working on a SplunkCloud environment - we always keep things tidy by re-assigning ownership of KOs to either Nobody or the correct user with correct role. But why can't we do this for Calculated Fields?
... View more
Labels
- Labels:
-
calculated field
08-11-2022
11:16 AM
Hi Linux Experts! Need help on a script that I'm working on to log sudo-enabled users. The script that I'm using is below #!/bin/sh
getent passwd | cut -f1 -d: | xargs -L1 sudo -l -U | grep -v 'not allowed' It is a `.sh` file that's ran once a day. The corresponding output is then parsed and massaged by some SEDCMD stuff, not relevant here. This way, I can see which users are able to perform sudo on the machine. Note: I am aware of the `usersWithLoginPrivs.sh` but this includes users that I'm not interested. Hence the custom script. If there's another solution you can share, that'd be great. But here's my PROBLEM: linux admins are complaining that they're getting messaged because `splunk` user that runs this script is generating messages for them. And they don't want to get the messages. So, they suggested to append this command at the end of the script: > /dev/null 2>&1 which I did. However, it does not print output anymore for those Splunk UFs that previously were able to. Yes, the main solution to this problem is to give `splunk` user permission to run the script. But due to the complexity of our organization, we can't request the same thing across the board. So, basically, of the thousands of linux servers that we have some can run this script, some cannot. That's currently okay. But to those that cannot, I'd like to modify the script in such a way that it will still work the same but will not produce any error. Is there any alternative?
... View more
Labels
- Labels:
-
administration
08-02-2022
02:06 PM
Just substitute the `makeresults` with your actual query. | makeresults
| eval _raw = "type1,platform1,target1
X,WIN,path/cpp
X,None,path/c
X,LINUX,path/py"
| multikv forceheader=1
| table type1 platform1 target1
| join type=inner left=L right=R where L.platform1=R.platform2 L.target1=R.target2
[| makeresults
| eval _raw = "type2,platform2,target2
Z,WIN,path/cpp
Z,LINUX,path/cpp"
| multikv forceheader=1
| table type2 platform2 target2 ]
| stats c
... View more
07-28-2022
12:25 PM
Is it necessary to put `shebang` on custom Python script that will be executed by `splunk`? The reason why I ask is because `shebang` is `#!/usr/local/bin/python` but we know that Spunk uses the one $SPLUNK_HOME/bin/python3. Thanks in advance.
... View more
Labels
- Labels:
-
add-on
-
Python
-
scripted input
06-21-2022
09:09 AM
This is what I get.
... View more
06-20-2022
02:01 PM
Newly released Splunk 9 introduced an error or invalid stanza on `federated.conf`. Anybody knows how to fix this? Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).
Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).
... View more
Labels
- Labels:
-
configuration
-
troubleshooting
04-12-2022
01:51 AM
Thanks. It did not parse the fields of the logs. I ended up writing our own props for it.
... View more
04-08-2022
12:39 PM
The SplunkWorks-built TA called Splunk Add-on for Cisco FireSIGHT said in the description that it is able to parse NGIPS logs. But upon inspection of the `props.conf`, it doesn't have sourcetype for NGIPS. Which should I use? I tried the `cisco:sourcefire` but it's not working.
... View more
Labels
03-15-2022
11:43 AM
After a successful saved-search run, the results can be found on the directory `$SPLUNK_HOME/var/run/splunk/dispatch/scheduler__...` We know that the result of the search is named `results.csv.gz` How do we read this in the OS level apps? Untarring it using `tar -xzvf` does not work. Thanks
... View more
Labels
- Labels:
-
saved search
-
scheduled search
02-07-2022
10:19 AM
Hi Community, I'm no Windows expert and just trying to tune an alert that we have in place. It's firing whenever a UF that has `admon` has stopped sending `admon` logs. But I just noticed that `admon` logs can have similar `dcName` in multiple UFs. For example, a UF that's meta host is "serverA" sends `admon` logs for dcName="serverDC". And UF that's meta host is "serverB" also sends `admon` logs for dcName="serverDC". Would it be reasonable to just replace the host of the UF with the value for dcName under the ActiveDirectory props.conf stanza? Thanks.
... View more
Labels
- Labels:
-
configuration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-20-2025
04:12 PM
|
Karma given to
