Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About omuelle1
omuelle1
Communicator
Member since:
08-26-2015
04-18-2023
Community Statistics
| Posts | 78 |
| Solutions | 6 |
| Karma Given | 22 |
| Karma Received | 6 |
| Member Since | 08-26-2015 |
Activity Feed
- Got Karma for Re: Why is my Azure Event Hub not sending data?. 04-18-2023 04:45 PM
- Posted Re: Why is my Azure Event Hub not sending data? on Getting Data In. 04-18-2023 08:37 AM
- Posted Why is my Azure Event Hub not sending data? on Getting Data In. 04-04-2023 07:36 AM
- Got Karma for Restart Splunk Inputs through API Call. 11-04-2020 01:43 AM
- Posted Restart Splunk Inputs through API Call on Building for the Splunk Platform. 07-22-2020 08:22 AM
- Karma Re: Sourcetype on SH overwriting config on HF for solarboyz1. 06-05-2020 12:50 AM
- Karma Re: Splitting up one data source into two indexes in O365 for gcusello. 06-05-2020 12:50 AM
- Karma Re: Splitting up one data source into two indexes in O365 for oscar84x. 06-05-2020 12:50 AM
- Got Karma for Re: How to pass variable or token from subsearch to search. 06-05-2020 12:50 AM
- Karma Re: Why is the O365 add-on failing to refresh access tokens? for ehollima. 06-05-2020 12:49 AM
- Karma Re: Subsearch to sum two fields by a common field for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: How to break multiple values into a new row ? for harsmarvania57. 06-05-2020 12:49 AM
- Karma How to break multiple values into a new row ? for rsokolova. 06-05-2020 12:49 AM
- Karma Re: How to index data where the timestamp is not on every line or at the the beginning of a line? for gcusello. 06-05-2020 12:48 AM
- Karma Re: Moved indexed data to different mount - not seeing it for woodcock. 06-05-2020 12:48 AM
- Karma Re: How to display the first 3 lines of an event that has triggered an alert? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to display the first 3 lines of an event that has triggered an alert? for MattZerfas. 06-05-2020 12:48 AM
- Karma Re: When making changes to .conf files in a distributed environment, how do I make sure changes get pushed to indexers and forwarders? for esix_splunk. 06-05-2020 12:48 AM
- Karma Re: Reindex Duplicates / Reindex duplicate data for nabeel652. 06-05-2020 12:48 AM
- Karma Re: Data not being indexed for mattymo. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
04-18-2023
08:37 AM
1 Karma
Figured out the issue with Splunk Support - the Splunk Add-On for Cloud Services supports a max of 64 partitions. We had 100, once we reduced to 64 the error message disappeared and the data started coming in.
... View more
04-04-2023
07:36 AM
Good morning,
I am having an issue on-boarding our main Eventhub into the Splunk Add-On for Cloud Services (latest version).
I have setup the inputs just like my other Eventhub but it is not sending data:
Below is the setup:
This is error I find in the logs:
logger=azure.eventhub._eventprocessor.event_processor pos=event_processor.py:_load_balancing:286 | EventProcessor instance '#####' of eventhub '#######' consumer group '$Default'. An error occurred while load-balancing and claiming ownership. The exception is AssertionError(). Retrying after 60s
I have a case open with MS and Splunk but no help so far.
Oliver
... View more
07-22-2020
08:22 AM
1 Karma
Hi, I am having an issue that the Microsoft 0365 Reporting Add-On continues to stop working. We found that usually a restart of the input in the WebUI fixes the issue. Now I was wondering if it possible to restart those inputs through an API call. I found the command that Splunk performs when you disable the Inputs in the Add-On to be from tine internal logs: admin [22/Jul/2020:09:49:19.674 -0400] "POST /servicesNS/nobody/TA-MS_O365_Reporting/data/inputs/ms_o365_message_trace/ms_o365_message_trace/disable HTTP/1.1" I have tried in powershell different variations of this command below but didn't have any luck so far. Is possible to call these WebUI commands through an API command ? Invoke-Restmethod -Uri http://localhost:8088/servicesNS/nobody/TA-MS_O365_Reporting/data/inputs/ms_o365_message_trace/ms_o365_message_trace/disable -Method POST
Invoke-Restmethod : {"text":"The requested URL was not found on this server.","code":404}
At line:1 char:1
+ Invoke-Restmethod -Uri http://localhost:8088/servicesNS/nobody/TA-MS ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thank you, Oliver
... View more
Labels
- Labels:
-
rest API
-
SDK
-
Splunk Web Framework
04-22-2020
05:18 AM
Hey guys,
has anyone integrated MS Teams data into Splunk? I am trying to find information on how many teams meetings are being held, how many users are in a meeting etc.
Has anyone integrated that data successfully ? I do have the Azure Add-On, Microsoft Cloud Services Add-On and O365 Add-On installed but none of these Add-Ons give me any Teams details.
Oliver
... View more
- Tags:
- splunk-cloud
- teams
03-12-2020
06:17 AM
Hey guys,
I got some question regarding parsing queue issues I have been observing on our Heavy Forwarders. I am currently seeing between 500 and 1000 blocked events on each heavy forwarder daily when running:
index=_internal host=HF blocked=true
The total ratio of blocked events seems to be about 10% and they mostly all seem to appear in the aggqueue:
My main question is if this is reason for concern or what the impact on my current Splunk environment would be. Also why would all this blocking be in mainly one queue ?
Thank you,
Oliver
... View more
02-26-2020
11:43 AM
A Splunk sales rep would provide you with the actual cost per month. Other factors as go in here dependent on what kind of Service Agreement you choose, but your best course of action is ask a Splunk sales rep for pricing.
... View more
02-07-2020
08:41 AM
Thank you, guys. The mail idea brought me on the right track.
The email apparently sometimes gets quarantined because of its attachment and then released automatically an hour later.
... View more
02-07-2020
08:24 AM
I don't think it's the TZ since they are delayed only some of the time.
So the alert fired at 6:00 AM, when it is scheduled to run:
2020-02-07 06:00:27,173 -0500 INFO sendemail:134 - Sending email. subject="Splunk Alert: 24 Hour Remote Country Login with MFA Check", results_link="https://XXXX.splunkcloud.com/app/XX_custom_app/@go?sid=scheduler_c2VjX2das9saXZlci5tdWVsXXXbGVyQG9tZy5jcdasdmhvbWcuY29t_T01HX2N1c3RvbV9hcHA__RMD5a1b9cc0db37475e5_at_1581073200_64487", recipients="[u'XXX@XXX.com']", server="XX.XX.XX.1:25"
However the email arrived in my inbox at 7 AM. Yesterday it came at 6 AM as scheduled, so it's not very consistent. But when it is delayed it is delayed but 1 hour.
... View more
02-07-2020
04:37 AM
Hi,
I have lately seen an issue that some scheduled alerts that contain attachments seem to get emailed to me one hour later than scheduled. I assume this has to do with volume of the alerts and searches scheduled but I haven't been to able to nail it down. When I look in the metadata for information about the delayed scheduled search it does show that it ran at the scheduled time, however the email alert often arrives exactly one hour later in my inbox.
Has anyone experience with this kind of issue?
Oliver
... View more
11-06-2019
04:51 AM
Hey guys, thank you for your help. Looks like I needed an additional fields.conf file on my HF to extract the fields at Heavy Forwarder level
... View more
11-05-2019
06:35 AM
I understand, but due our setup in this case we want to do it at the HF level. I mean that should be possible as well.
... View more
11-05-2019
05:54 AM
We are in a shared environment with several companies sharing a Cloud environment, but we do have some autonomy on the Heavy Forwarder level which is why we want to extract the fields there.
Thank you for your reply, based on this documentation I wrote my .conf files, but they are not extracting in the described Heavy Forwarder situation.
... View more
11-05-2019
05:36 AM
Hi,
I am having an issue when we are trying to extracts fields at the Heavy Forwarder level. We are in a shared Cloud Environment but some Heavy Forwarders are local, so we want these HFs do the field extraction, however it doesn't seem to work.
I created a transforms.conf and props.conf and when I tested it on my local Splunk instance without a Heavy Forwarder it does work:
Props.conf:
## Custom Extractions Meraki ##
TRANSFORMS-Logtype=Logtype
TRANSFORMS-pattern=pattern
TRANSFORMS-security_event_dtl=security_event_dtl
TRANSFORMS-message=message
TRANSFORMS-request=request
TRANSFORMS-src=src
TRANSFORMS-user=user
## Change user field ##
EVAL-user = replace(user, "\\\,\\\20", ",")
Transforms.conf
## Extract custom Meraki fields ##
[Logtype]
SOURCE_KEY = source
REGEX = \\meraki\\(?<Logtype>\w+)
[pattern]
SOURCE_KEY = _raw
REGEX = pattern:(?<pattern>.*)
[security_event_dtl]
SOURCE_KEY = _raw
REGEX = security_event\s(?<security_event_dtl>\w+)\s\w+
[message]
SOURCE_KEY = _raw
REGEX = message:(?<message>.*)
[request]
SOURCE_KEY = _raw
REGEX = request:\s\w+(?<request>.*)
[src]
SOURCE_KEY = _raw
REGEX = client_ip='(?<src>.*)
[user]
SOURCE_KEY = _raw
REGEX = CN=(?<user>.*?),OU
From my understanding it should be possible to make these fields extractions at the Heavy Forwarder level , correct?
I appreciate your help,
Oliver
... View more
08-27-2019
01:11 PM
Hi,
I am working in a shared environment with several Heavy Forwarders that sent data to Splunk Cloud Indexers and a shared Splunk Cloud Search Head.
I have noticed that when I set up a sourcetype on the HF with the same name as a sourcetype on the Search head - the Search head sourcetype seems to supersede the configuration of the local sourcetype on the HF.
For example if I specify the timezone TZ=GMT on the sourcetype=IIS on the HF but on the SH the TZ is not set to GMT, it looks to me that sourcetype configuration on the SH supersedes the configuration on the HF. Would that be a correct assumption?
Thank you,
Oliver
... View more
07-25-2019
12:02 PM
Hi,
I am seeing a similar issue in my environment. Could you elaborate how you replaced the certificates ?
Thank you so much!
... View more
06-25-2019
07:56 AM
Thank you I just did that with some test data and it worked. I will need to try it as well once I have the live data.
... View more
06-04-2019
01:15 PM
I would recommend creating a field to extract the data using a regex:
Something like:
| rex field=_raw max_match=0 "\"(?.*)\""
... View more
06-04-2019
12:17 PM
Check out this here:
https://docs.splunk.com/Documentation/SplunkCloud/7.2.4/User/SelfServiceAppInstall
I think you need to upload the app file that contains all folders and .conf files and Splunk supports vets it and installs it then.
... View more
06-04-2019
11:26 AM
I think you would have to chat with your Splunk contact and share the app with them since only Splunk has access to the SplunkCloud to deploy a custom app.
... View more
05-31-2019
06:05 AM
Good morning,
I have a question regarding Office 365 data:
I have two organizations that share one O365 tenant.
Both organizations want to have their own Splunk O365 index and only see their data.
I am able to differentiate the data by domains of users.
Is there a way to write a transforms.conf or props.conf with which I could parse the data with certain domains to go to one index and data with certain domains to the other?
Thank you,
Oliver
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-18-2023
03:19 PM
|
Karma from
Karma given to
